VMware Identity Manager – Invalid Suite Token

identity manager invalid suite token error

When redeploying my Horizon lab today, I encountered a strange issue when configuring the identity manager. I tried to add my active directory into Identity Manager (IDM), but got the following error: “Connector communication failed because of invalid data: Invalid token suite“.

Identity manager with invalid suite token error

The deployment of my lab was pretty straight forward as in 1 connection server, 1 IDM appliance and a connector. All backend services were already deployed in my lab: Active Directory, DNS, NTP, syslog,…

The following diagram gives you an idea of how the environment works.

Explanation of the diagram:
I deployed a single IDM appliance with an embedded postgress database and used a single connector for outbound connections with the “on-prem” backend services. The connector will be used to connect IDM with the Horizon RDSH environment. This is just a single connection server with 1 RDSH desktop pool, containing a single RDSH host. Just to keep things simple and low maintenance.

When a user requests a desktop, all traffic will be proxied over a Unified Acces Gateway. I also could have used the internal gateways of the connection server, but I’m trying to stick as close as possible to a real production implementation.

Troubleshooting:
Unable to add my active directory in Identity manager, I investigated the state of the connector found under Identity & Access Management/setup/connectors and the details page of the connector.

This showed me a green status, but when opening the “auth adapter” tab of the connector, I received a communications error “Failed to parse the response received from connector”.

identity manager failed parse reponse

Therefore, I checked if my connector was still able to communicate with my domain and with the IDM appliance. This was the case, I was able to RDP, ping and SSH from and to the connector.

Solution:

After some investigation, I wanted to make sure all my NTP settings where synchronized correctly and in sync with each other. Here I found that the IDM appliance was out of sync with just a couple of minutes due to been synced with the ESX host time and not the NTP server.

The ESX config was set to point to the NTP, but I found out that it did not sync correctly when the ESX booted. Restarting the NTP service from the UI, forced a resync of the time with the NTP server.

Identity manager NTP issue

To make sure it won’t happen again, I adjusted the IDM setting to NTP.
So once more, I tried to add my active directory again to the identity manager. Success! I was able to add it without any issues!

Identity manager succes add directory

Conclusion:

Even with an identity manager “Proof of concept” deployment, it is crucial to have all pre-requirements in place like DNS, NTP, Active Directory,…
Link to the list of the requirements of Identity Manager 19.03.

If not, you will have some pretty strange errors in identity manager as I did with the “invalid suite token” error. So I hope you learned something from this small post. I definitely did! Just make sure your backend services are available and configured correctly even when it’s a homelab setup.

Interested in getting your VCAP-DTM design certificate, check out my study guide blog series:
VCAP7-DTM Design study guide – part 1

Leave a Reply

Your email address will not be published.