VMware Cloud Community
AnizioAlmeida
Contributor
Contributor

vCenter 5.0 to 5.1 Upgrade Issue

Hi people.

I upgraded vCenter from 5.0 to 5.1 and now I can't login using Active Directory accounts.

When I try login in Web Client, I get the follow error:

Image 1.png

When I try login in vSphere Client, I get the follow error:

Image 2.png

I can login using the vmware service account and using admin@system-domain account.

I'm using Windows 2008 R2.

Any help will be appreciated.

Thanks

Tags (1)
11 Replies
Ken_Mc
Contributor
Contributor

Same problem.

Reply
0 Kudos
cougar694u
Enthusiast
Enthusiast

I had this problem as well, I ended up reverting to pre-upgrade  snapshot & database, created a local account on the vCenter server,  added to local admins, and granted top-level admin privileges in  vCenter.  After that, everything seemed to work fine.

What admin group did you specify during the upgrade?

You  could try adding the service account to be an SSO admin while logged in  as admin@system-domain to the web client, make sure LDAP is set up and working.  Then log in to vCenter as the service  account and grant permissions to an AD group at the top level.

I don't know if this will work, but if you can log in with the service account and see everything, then you should be able to grant permissions accordingly.

**EDIT**
Adding the service account as an SSO admin is likely not necessary, but will allow you to log in to the web client and edit the SSO setup to get LDAP working if it isn't already.  That way you don't have to log out and log back in if you keep only admin@system-domain as the SSO admin.

~Luke http://thephuck.com
Reply
0 Kudos
KenySchmeling
Contributor
Contributor

@cougar694u

Thanks for responding

I checked the LDAP configuration and I think its all OK.

The LDAP test return OK:

Image 3.png

And I can search Active Directory:

Image 5.png

A strange thing: If I try login using wrong password, I get the password error:

Image 6.png

If I use the correct password, I get this error (Cannot Parse Group Information):

Image 1.png

Based on this, I think the authentication system is working properly.

I set the correct permissions on vCenter:

Image 7.png

I just try to add the vCenter Service Account on Administrators, LSAdministrator and Regular Users SSO groups.

Any suggestion?

Thanks

Reply
0 Kudos
snorgy
Contributor
Contributor

We had the same thing.  The Single Sign On service just needed to be told where our Active Directory was.

  • Login to the web client as the admin@system-domain account you created at update time.
  • Click the Administration left-pane item.
  • Under Sign-On and Discovery, click Configuration.
  • In the top-center pane, click the green plus to add another Identity Source.
  • In the resulting dialog, you'll enter the usual info for other services that query AD.
  • Once successfully added, you'll see your AD in that top-center pane.
  • Now just select the AD entry, and click the icon with a blue arrow pointing to a planet.
  • It's now in Default Domains, and your AD credentials ought to be accepted when you login.

Hope this helps,

Gabe

Reply
0 Kudos
kopper27
Hot Shot
Hot Shot

so this is the only way to be able to use the AD users to login? using SSO?

Reply
0 Kudos
KenySchmeling
Contributor
Contributor

More information about problem...

If I use the option "Use Windows Session Credentials", I can login in vCenter using vCenter Client. If I don´t use the option, I can't:

Not using the option...

Image 8.png

Using the option...

Image 9.png

But in vSphere Web Client, I can't login:

Not using the option...

Image 10.png

Using the option...

Image 11.png

Reply
0 Kudos
kopper27
Hot Shot
Hot Shot

is the local credentials administrator? because without SSO configured only local administrators can log in.

Reply
0 Kudos
KenySchmeling
Contributor
Contributor

No, is Domain Account....

Reply
0 Kudos
VMWareAdministr
Contributor
Contributor

We are having the same issue.

I just upgraded a vCenter 5.0u1 instance to 5.1 and was able to add 2 Active Directory sources (primary user domain and resource domain).  After adding our resource-domain groups to the vCenter instance with Administrator permissions and removing the default Administrators group, we are unable to log in.  I see this in the vxpd logs:

2012-09-28T15:42:32.477-04:00 [04944 info '[SSO]'] [UserDirectorySso] GetUserInfo(<Our Resource Domain>\VM-NA-Administrators, true)
2012-09-28T15:42:32.527-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [GetDomains]
2012-09-28T15:42:32.528-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [LazyInitAdmin] Initializing
2012-09-28T15:42:32.529-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [InitSsoAdminServices]
2012-09-28T15:42:32.530-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [CreateAdminSsoServiceContent] Try to connect to SSO Admin server.
2012-09-28T15:42:37.701-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [InitSsoAdminServices] successful.
2012-09-28T15:42:38.591-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [LoginToAdmin]
2012-09-28T15:42:39.515-04:00 [04868 warning 'VpxProfiler' opID=SWI-b4b0558b] VpxUtil_InvokeWithOpId [TotalTime] took 12001 ms
2012-09-28T15:42:39.591-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [CheckTokenValidity]
2012-09-28T15:42:40.091-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [CheckTokenValidity] Refreshing SSO token ...
2012-09-28T15:42:41.091-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [RefreshSsoToken]
2012-09-28T15:42:42.059-04:00 [05160 info 'Default'] Thread attached
2012-09-28T15:42:42.091-04:00 [05164 info 'Default'] Thread attached
2012-09-28T15:42:45.097-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [RefreshSsoToken] The VC HOK token has been successfully refreshed.
2012-09-28T15:42:46.140-04:00 [04052 warning 'Default'] Closing Response processing in unexpected state: 3
2012-09-28T15:42:46.261-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [LoginToAdmin] Successfully logged.
2012-09-28T15:42:47.311-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [FindGroup]
2012-09-28T15:42:48.620-04:00 [04944 info '[SSO]'] [UserDirectorySso] GetUserInfo(<Our Resource Domain>\VM-NA-Administrators, true) res: <Our Resource Domain>\VM-NA-Administrators
2012-09-28T15:42:49.120-04:00 [04944 info '[SSO]'] [UserDirectorySso] GetUserInfo(<Our Resource Domain>\VM-Global-Administrators, true)
2012-09-28T15:42:49.621-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [FindGroup]
2012-09-28T15:42:50.171-04:00 [04944 info '[SSO]'] [UserDirectorySso] GetUserInfo(<Our Resource Domain>\VM-Global-Administrators, true) res: <Our Resource Domain>\VM-Global-Administrators
2012-09-28T15:42:50.672-04:00 [04944 info '[SSO]'] [UserDirectorySso] GetUserInfo(<Our Resource Domain>\VM-ReadOnly, true)
2012-09-28T15:42:51.174-04:00 [04944 info '[SSO][SsoAdminFacadeImpl]'] [FindGroup]
2012-09-28T15:42:51.521-04:00 [04024 warning 'VpxProfiler' opID=SWI-db85f807] VpxUtil_InvokeWithOpId [TotalTime] took 12001 ms
2012-09-28T15:42:51.718-04:00 [04944 info '[SSO]'] [UserDirectorySso] GetUserInfo(<Our Resource Domain>\VM-ReadOnly, true) res: <Our Resource Domain>\VM-ReadOnly
2012-09-28T15:42:52.730-04:00 [04944 warning 'VpxProfiler'] Vpxd::ServerApp::Start [VpxdAuthorize::Start()] took 20529 ms
2012-09-28T15:42:54.255-04:00 [04944 warning 'VpxProfiler'] Vpxd::ServerApp::Start [AuthManagerMo::Start()] took 1020 ms
2012-09-28T15:42:55.931-04:00 [04944 warning 'VpxProfiler'] Vpxd::ServerApp::Start [ExtensionManagerMo::Start()] took 1171 ms
2012-09-28T15:42:56.285-04:00 [04944 info 'vpxdvpxdInvtHostCnx'] [Startup] Connecting to 1970 hosts in parallel.
Reply
0 Kudos
KenySchmeling
Contributor
Contributor

I discover the problem...

I have an Active Directory group with Backshash in name. Ex:aaaaaaa\bbbbbbbb\ccccccc

Our Domain Admins group is member of this group (aaaaaaa\bbbbbbbb\ccccccc).

In vxpd log (C:\ProgramData\VMware\VMware VirtualCenter\Logs), I get this error:

2012-09-28T17:23:08.873-03:00 [05296 info '[SSO]' opID=E83C0C4B-00000004-3a] [UserDirectorySso] Authenticate(DOMAIN\user, "not shown")

2012-09-28T17:23:11.998-03:00 [05296 error '[SSO]' opID=E83C0C4B-00000004-3a] [UserDirectorySso] AcquireToken SsoException: Failed to parse Group Identity value: `domain.com\aaaaaaa\bbbbbbbb\ccccccc'; too many/not enough separators
2012-09-28T17:23:11.998-03:00 [05296 error 'authvpxdUser' opID=E83C0C4B-00000004-3a] Failed to authenticate user <DOMAIN\user>

Based on this, I renamed the group replacing backslash by underline.

After this, I can login using my admin account in both vSphere Client and vSphere Web Client.

Thanks everyone for help...

Reply
0 Kudos
parkerv
Enthusiast
Enthusiast

Wow, I have to say... for the non-enterprise user with a medium sized environment, SSO and this upgrade is a huge pain in the a$$.

Lets develope a feature geared for the enterprise level and give everyone the headache of requiring it.....