vRealize Automation (vRA) – 401 – Unauthorized: Access is denied due to invalid credentials.

Hello World! It’s been a while (okay maybe more than a while) since I have had some time to post, but stumbled upon an issue today I thought I would share.

I made a few configuration changes while troubleshooting why the built-in vRealize Orchestrator service was no longer accessible from my vRA environment. After making said changes, the ‘Infrastructure’ tab was no longer accessible. Even users with the correct permissions in vRA would receive the following message:

“401 – Unauthorized: Access is denied due to invalid credentials.”


I found various resolutions for similar issues that showed the same symptoms, but none that resolved my issue.

What I did notice was a handful of posts related to IIS in general. IIS is hosted on the IAAS server, which is the component accessed by the Infrastructure tab in vRA. Having already validated Active Directory permissions, account lockouts, and services were all good, I remembered one of the configuration changes I made the day before.

Heads Up – Updating vRA certificates breaks stuff…


A quick search for the vRA certificate replacement process revealed the answer.

Update the vRA certificate on the IAAS Server

Here are the steps from the procedure to update the certificate on the IAAS Server

NOTE: These steps need to be performed on the IAAS server.

  1. Navigate to the following directory:

‘C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe’

  1. Run the following command to update the vRA certificate for the IAAS server:

‘vcac-config.exe UpdateServerCertificates -d vCAC -s servername –v’

Where ‘vCAC’ is the name of the vCAC database (vCAC by default), and servername is the name of the SQL database hosting the vCAC database.

e.g: ‘vcac-config.exe UpdateServerCertificates -d vCAC -s uber-sql2012-01.valcolabs.lab –v’

  1. From the command prompt, type: ‘IISReset’


The certificate dependencies for the vRA components can be found here.

Here is the link to process in VMware’s Documentation Center

Here is the procedure for updating the Identity Appliance if you aren’t using embedded SSO.

Hope that helps!

Comments 2

  1. Easy Solution is that Login to vRA.domain.com:5480 via root account and go to vRA Settings > Host Settings and Click on “Reinitiate Trust”.

Leave a Reply

Your email address will not be published. Required fields are marked *