Hi people.
I upgraded vCenter from 5.0 to 5.1 and now I can't login using Active Directory accounts.
When I try login in Web Client, I get the follow error:
When I try login in vSphere Client, I get the follow error:
I can login using the vmware service account and using admin@system-domain account.
I'm using Windows 2008 R2.
Any help will be appreciated.
Thanks
Same problem.
I had this problem as well, I ended up reverting to pre-upgrade snapshot & database, created a local account on the vCenter server, added to local admins, and granted top-level admin privileges in vCenter. After that, everything seemed to work fine.
What admin group did you specify during the upgrade?
You could try adding the service account to be an SSO admin while logged in as admin@system-domain to the web client, make sure LDAP is set up and working. Then log in to vCenter as the service account and grant permissions to an AD group at the top level.
I don't know if this will work, but if you can log in with the service account and see everything, then you should be able to grant permissions accordingly.
**EDIT**
Adding the service account as an SSO admin is likely not necessary, but will allow you to log in to the web client and edit the SSO setup to get LDAP working if it isn't already. That way you don't have to log out and log back in if you keep only admin@system-domain as the SSO admin.
@cougar694u
Thanks for responding
I checked the LDAP configuration and I think its all OK.
The LDAP test return OK:
And I can search Active Directory:
A strange thing: If I try login using wrong password, I get the password error:
If I use the correct password, I get this error (Cannot Parse Group Information):
Based on this, I think the authentication system is working properly.
I set the correct permissions on vCenter:
I just try to add the vCenter Service Account on Administrators, LSAdministrator and Regular Users SSO groups.
Any suggestion?
Thanks
We had the same thing. The Single Sign On service just needed to be told where our Active Directory was.
Hope this helps,
Gabe
so this is the only way to be able to use the AD users to login? using SSO?
More information about problem...
If I use the option "Use Windows Session Credentials", I can login in vCenter using vCenter Client. If I don´t use the option, I can't:
Not using the option...
Using the option...
But in vSphere Web Client, I can't login:
Not using the option...
Using the option...
is the local credentials administrator? because without SSO configured only local administrators can log in.
No, is Domain Account....
We are having the same issue.
I just upgraded a vCenter 5.0u1 instance to 5.1 and was able to add 2 Active Directory sources (primary user domain and resource domain). After adding our resource-domain groups to the vCenter instance with Administrator permissions and removing the default Administrators group, we are unable to log in. I see this in the vxpd logs:
I discover the problem...
I have an Active Directory group with Backshash in name. Ex:aaaaaaa\bbbbbbbb\ccccccc
Our Domain Admins group is member of this group (aaaaaaa\bbbbbbbb\ccccccc).
In vxpd log (C:\ProgramData\VMware\VMware VirtualCenter\Logs), I get this error:
2012-09-28T17:23:08.873-03:00 [05296 info '[SSO]' opID=E83C0C4B-00000004-3a] [UserDirectorySso] Authenticate(DOMAIN\user, "not shown")
2012-09-28T17:23:11.998-03:00 [05296 error '[SSO]' opID=E83C0C4B-00000004-3a] [UserDirectorySso] AcquireToken SsoException: Failed to parse Group Identity value: `domain.com\aaaaaaa\bbbbbbbb\ccccccc'; too many/not enough separators2012-09-28T17:23:11.998-03:00 [05296 error 'authvpxdUser' opID=E83C0C4B-00000004-3a] Failed to authenticate user <DOMAIN\user>
Based on this, I renamed the group replacing backslash by underline.
After this, I can login using my admin account in both vSphere Client and vSphere Web Client.
Thanks everyone for help...
Wow, I have to say... for the non-enterprise user with a medium sized environment, SSO and this upgrade is a huge pain in the a$$.
Lets develope a feature geared for the enterprise level and give everyone the headache of requiring it.....