VMware Cloud Community
Hryundel
Contributor
Contributor
‎05-20-2015 10:21 PM

vCSA 5.5 unable to authenticate users from parent domain in Active Directory

Hello!

We have a vCSA 5.5 integrated to our Child.DOMAIN.COM subdomain in corporate
Active Directory. Identity source set as "Active Directory (Integrated Windows Authentication)"
with "Use machine account" option. Users from our child domain has no problem with access
to the vSphere. We can list users and groups from parent DOMAIN.COM domain and assign
permissions for them. But users from parent domain can't be authenticated by vCSA. The
only "Provided credentials are not valid" message rose. Doesn't matter which form of login
to use - "DOMAIN\Username", "Username@DOMAIN.COM".
In the vmware-sts-idmd.log the messages like
INFO   [IdentityManager] Authentication failed for user [Username@DOMAIN] in tenant [vsphere.local] in [315] milliseconds

We have a VMware support from HP Company side. But they say "it's not a poblem of software" and
declined to open a case. One of possible recipe is to join vCSA to the parent domain but it's impossible
in our case.

Is the anybode else use vCSA 5.5 to organise a cross-domain user authentication?

Best Regards.

Tags (1)
0 Kudos
2 Replies
RyanH84
Expert
Expert
‎05-22-2015 01:05 PM

I've never done this specifically but it should work from my understanding.  From what you have said it's a simple parent-child domains setup, which is bi-directionally transitive in trust relationship; so I'm just offering you my thought process, hope it helps!


You said you can't join the vCSA to the parent domain as it is impossible, but what about adding the parent domain in as an extra identity source and configuring a service account in that domain to use to authenticate with? You don't have to "Join it" to the domain as such, just configure AD access via LDAP?


I'm thinking something like this ?

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
Hryundel
Contributor
Contributor
‎05-25-2015 04:49 AM

We had try to create a one more Identity Source as "Active Directory as a LDAP Server"

for the parent DOMAIN, but each time we cought the short error message "Referral" only.

But now we found some strange workaround. We use the 3268 (Global Catalog) port in Primary

and Seconary server URLs. We don't known why but it's working. The parent DOMAIN

now listed twice in the list of domains during permission assignment , but authentication work.

But now we can't understand the way this scheme work with 3268 but not with default LDAP port :smileylaugh:

Looks like we stay with this combination for a while.

0 Kudos