Solved: Re: How do I add users to be able to login and use...

NJKwork · ‎02-21-2014

I am confused how to add additional users to login to the VCO client. I am using the latest VCO appliance from VMware, vCenter 5.5b and have a working SSO setup and configured for VCO to use. Do I add users in the SSO admin console in vCenter, or do I login to the VCO client and add there? I tried the latter...I added a domain group and gave it all rights except ADMIN, but still no one in that group can login. I then read something about setting up "Authorizations", so I setup one using the same AD group, but it still does not work. I then read a forum posting that Authorizations are no longer needed/used (but still are available to setup in the interface ???) - so I am totally confused.

I am able to login as myself - I am assuming that is because when I setup VCO, I used a group I am in for the "VCO Admins" setting.

One other thing - in the area where I added the group, I could not browse user accounts - only groups in our AD domain. Is that supposed to be like that? Only allow groups? Where I went was the home page, permissions tab, and clicked the "Add access rights..." button. It brings up a browser window and I can see all our AD groups - but no users. I added a group and then had a test user try to login but it tells them they are not authorized (002 error).

Any help is appreciated.

NK

NJKwork · ‎02-28-2014

The only way I could get this to work is to create a new group and assign that group to the "VCO Admins" setting in the Orchestrator Configuration "Authentication" screen and then reboot the appliance. Any user in that group can login - but obviously they now have Admin rights too across the board. No matter what I tried in the Java Orchestrator client "Permissions" section, I could not get any user in a group I added to the permissions to be able to login. So I guess is it FULL admin or nothing with this tool in our environment.

View solution in original post

iiliev · ‎02-21-2014

On your last question - yes, access rights are assigned per group, not per user.

Setting up Authorizations is not needed.

In vCO web configurator UI there is an option to test user login. What happens if you try test login with a non-admin user? Are you sure this non-admin user is valid; for example, are you able to login to vSphere Web client with this user?

Also, could you check vCO logs for errors/exception stack traces?

NJKwork · ‎02-21-2014

Thanks for the response. Yes the user is valid. I had an actual user in that group try to login, and it fails. Then I created a test user account in our domain, added it to the group and tried to login as that test user and it fails too.

I went into the VCO Configuration tool as "vmware" and went to the "Authentication" section. I clicked on "Test Login". I put in the credentials of the test user I setup and it tells me "User logged in successfully". I then go back to the VCO Client (Java) application and try to login with that same account, and it tells me: "[002] 'MyDomain\MyTestUser' is not authorized!"

Thanks,

NK

NJKwork · ‎02-21-2014

Edited IP addresses and users names for security reasons...

2014-02-21 21:52:57.337+0000 [http-bio-x.x.x.x-8281-exec-115] ERROR {} [DefaultVerifier] User LDAP-USER-['MyTestUser'] - MyDomain\MyTestUser doesn't have necessary rights 'View', required to execute operation on (VSOServer, _ROOT).

2014-02-21 21:52:57.338+0000 [http-bio-x.x.x.x-8281-exec-115] ERROR {} [VcoFactoryServiceFacadeProxy] ch.dunes.util.NotAuthorizedException: [0002]User 'MyDomain\MyTestUser' is not authorized!

How do I give my test user account "View" permissions? I have added that group to the "Permissions" tab in the VCO client and verified the user is in the group. The group has all permissions checked - even ADMIN now.

Thanks

NK

iiliev · ‎02-22-2014

You are doing it correctly - permissions are assigned to a given group on 'Permissions' tab.

A few other things to check:

1) Connect to the database you are using with some DB utility. There should be a table named 'vmo_accessrights'. Inside it, is there a record for '_ROOT' object and 'MyDomain\MyTestUser'?

2) When trying to login in vCO Java client, how do you specify the user name? As MyDomain\MyTestUser, or as MyTestUser@MyDomain?

-Ilian

NJKwork · ‎02-24-2014

Hello,

I am using "MyDomain\MyTestUser" as the format. This is the format I used when I login with my account and it works.

I am not sure how to access the DB for Orchestrator (its the appliance not the Windows version using MSSQL).

We had problems getting the vCenter appliance (5.5b) to work with SSO in our domain too and we had to scrap it for the Windows version instead...tech support said it was a known bug and there was no known plan to fix it yet. I wonder if the Orchestrator appliance has the same bug.

NK

NJKwork · ‎02-28-2014

The only way I could get this to work is to create a new group and assign that group to the "VCO Admins" setting in the Orchestrator Configuration "Authentication" screen and then reboot the appliance. Any user in that group can login - but obviously they now have Admin rights too across the board. No matter what I tried in the Java Orchestrator client "Permissions" section, I could not get any user in a group I added to the permissions to be able to login. So I guess is it FULL admin or nothing with this tool in our environment.

iiliev · ‎02-28-2014

Today I spotted a PR/SR in our internal bug database that sounds similar to this one. Apparently there is a real issue/regression for non-admin users. There is an engineer assigned to work on this PR so hopefully we'll have some results next week.

BTW, you are using AD, correct? How is identity source AD configured in SSO - as "Active Directory (Integrated Windows Authentication) or as "Active Directory as LDAP Server"?

NJKwork · ‎02-28-2014

Thank you for the update.

We are using Active Directory. In SSO, it is set to "Integrated Windows Authentication".

NK

rds00 · ‎06-10-2014

Hello,

Any news ?

All

How do I add users to be able to login and use Orchestrator?