vRA installation failure caused by .NET trust levels in IIS

I've been meaning to post this for about a year. I'm doing it now just in case it's still relevant and useful for anyone.

I was working with a customer getting a vRA (7.3.1) PoC environment deployed for them so that they could run some penetration tests against it. For those tests to be fully representative, they understandably wanted to use their standard VM templates for the Windows-based IaaS components of vRA.

One of these templates configured IIS as part of the standard installation. Going through the vRA deployment process (not with LCM, but manually) a problem was encountered that took some time to get past. The pre-requisite checker ran through ok and the configuration (including certificates) were configured correctly, but when it came to the actual installation it failed at the Model Manager.

The output from the installation process was as follows:

Installing vCAC Server Custom Setup files on the disk
Executing:"C:\Users\user\AppData\Local\Temp\VMware\vCAC\\vCAC-Server-Setup.exe" /s /w /V"/qn ADDLOCAL=Website,ModelManagerWeb,ModelManagerData INSTALLDIR=\"C:\Program Files (x86)\VMware\vCAC\\Server\" /Lpassword \"C:\Program Files (x86)\VMware\vCAC\InstallLogs-2018date\Server-Setup.log""
vCAC Server Custom Setup Installation Succeeded, ExitCode:0
Execution time:00:28.430
Configuring vCAC IaaS core components:
- Model Manager Web Service
- Model Manager Data
- Administration Portal Website
Executing:"C:\Program Files (x86)\VMware\vCAC\Server\ConfigTool\\vCAC-Config.exe" /S "/P:C:\Users\user\AppData\Local\Temp\VMware\vCAC\\ConfigToolProperties.vCAC-Server-Web-ModelManagerData-ConfigTool.xml" "/L:C:\Program Files (x86)\VMware\vCAC\InstallLogs-2018date\vCAC-Config.log"
Running vCloud Automation Software Configuration Wizard in silent mode.
The following vRealize Automation features have been installed and selected for configuration:
Model Manager Web configuration is complete.
Model Manager Data configuration failed.
vCAC-Server-Custom-Web-ConfigTool Installation Failed, ExitCode:1
Error configuring vRealize Automation Server. For more information, refer to vCAC-Config.log after collecting the IaaS logs.
Execution time:00:16.246

Looking at the MetaModel service with a browser:

Repository connectivity validation failed. Trusted connectivity validation failed for address "https://iaasweb-fqdn/repository/Data/MetaModel.svc": The call to "https://iaasweb-fqdn/repository/Data/MetaModel.svc" failed with status code: InternalServerError (500).

StatusCode: 500, ReasonPhrase: 'Internal Server Error', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:

    Cache-Control: private
    Date: xxxx GMT
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    Content-Length: 3430
    Content-Type: text/html; charset=utf-8

Several retries later (make sure to take snapshots) I discovered that there was an IIS setting that the customer was setting that was preventing the Model Manager from running correctly. In the IIS Manager, it's called “.NET Trust Levels”.

The default setting if you install IIS from the Windows Server Manager dashboard is “Full (Internal)”. The customer's IIS build set this as Minimal or Low (I've forgotten which).

The thing to note though was that the vRA installation pre-requisite checker didn't pick it up. So if you hit a similar issue, check the IIS settings carefully.