Solved: Re: vCenter Permissions: AD User Groups fail but i...

RealQuiet · ‎11-01-2019

Running into an issue with my fresh vCenter 6.7 install. This is probably familiar to some of you out there so I hope you have a resolution that I can use.

Unable to login because you do not have permissions on any vCenter Server systems connected to this client.

vCenter is joined to the domain and it can resolve the user objects and user groups from AD. If I add a User Group (which I am a part of) at any level (nested in vSphere.local\Administrators, global permissions, or vCenter root) I cannot log in. However, if I add my user account to global permissions or vCenter root then it works. Nesting under vSphere.local\Administrators is not working for groups or users.

AD Group
Nested under Administrators = FAIL

Global Permissions = FAIL

vCenter (any level) = FAIL

AD User

Nested under Administrator = FAIL

Global Permissions = PASS

vCenter (any level) = PASS

Also, I redeployed vCenter from scratch and the first thing I did was rejoin it to AD (after resetting AD object) and tried this. Same issue.

For auditing reasons, management of permissions, user groups are preferred. Any help would be appreciated. For now I am just adding the team's user accounts to the vCenter root with the Administrator role.

Vijay2027 · ‎11-02-2019

I've seen such issues before.

Usually adding Identity Source as "AD as an LDAP server" helps. Let me know if this helps.

Please mark my comment as the Correct Answer if this solution resolved your problem

View solution in original post

Vijay2027 · ‎11-02-2019

I've seen such issues before.

Usually adding Identity Source as "AD as an LDAP server" helps. Let me know if this helps.

Please mark my comment as the Correct Answer if this solution resolved your problem

RealQuiet · ‎11-02-2019

During my research I also ran across forum postings saying that using LDAP would work. It is just frustrating because we have 5 other VCSAs that do no have this problem. This particular VCSA resides in the same subnet as the DC that it would be communicating with, so there are no firewalls causing issues.

If I cannot find a solution by Tuesday, then I will try the LDAP solution. Not ideal, as it would be configured differently than the rest of the environment.

RajeevVCP4 · ‎11-02-2019

just try one more time disjoin vcsa from domain and re added ( reboot required) , check domain and vcsa time synchronization ,

Rajeev Chauhan
VCIX-DCV6.5/VSAN/VXRAIL
Please mark help full or correct if my answer is use full for you

Vijay2027 · ‎11-06-2019

Did you get IWA working or had to use "AD as an LDAP server"

RealQuiet · ‎11-07-2019

Tried the dis-join and rejoin. Did it using the GUI then shell. Same result.

Went through the hassle and set up the LDAP and it works. No victory for me, now I need to document this as it is different from all the other VCSAs in the environment.

So it works, I am just not happy about the implementation.

The answer is if user groups do not work using AD Integration then use LDAP.

Sajir · ‎11-27-2020

Adding LDAP Identity source is a workaround for AD login related issues with IWA.

IWA requires to match few parameters like fqdn of the vCenter should be matching the Identity Source, Domain Functional Level Support, Kerberos and SMB support, Dependency on DNS Server/s etc.

Also, there are known issues with Likewise on some of the vCnter 6.7/7.0 versions - https://kb.vmware.com/s/article/79649

If you contact VMware Support, you can get all these required parameters verified and get the IWA worked.

LDAPS is the future of Identity Sources and ADFS is another on vCenter 7.0 onwards. Also, please be aware that IWA is deprecated on vCenter 7.0.

Note: I'm replying this old thread is because this info might help considering LDAPS as your Identity source unless you have ADFS in your environment (For small to medium organizations).

All

vCenter Permissions: AD User Groups fail but individual users work