I just updated my lab instance to 2.0 Beta and AD auth has stopped working.
I validated that it was working before the upgrade
Hey ikiris - can you confirm your issue is now resolved? If so, can you mark this questions as answered?
If anyone is experiencing this issue and has not received the patch, please reach out to me directly.
Does a test work from the Administration - Authentication section? Under Administration - Users does UPN and suffix match for the user in question? In what format are you trying to login (e.g. <domain>\<username> or <username>@<domain>)?
Test does work from Administration - Authentication (using the same account)
UPN and suffic matches
I have tried logging in with three formats
<username>
<domain>\<username> (this did not work for me in 1.5)
<username>@<domain>
Please generate a support bundle and upload per http://kb.vmware.com/kb/1008525 (no need for SR just upload to a folder called ikiris)
Support bundle uploaded
I can confirm I have the same issue. I logged in with my AD account, did the upgrade, and cannot log in with my AD account now either.
What is different for me is that the root account works fine at the console, but does not work in the web. So very odd. Did a restart and watch the appliance boot and saw no errors or issues during boot.
Michael
Hey Michael - root will not work in the UI unless you create a local root user. What is the AD username you are attempting to log in as?
Thanks Steve, I forgot about root. I am using domain\user, and user@domain with no luck as well as user.
The actual domain name is thewhites.ca, and my account is mwhite.
I note in authentication there is no longer an account name. I am going to add it back and see how it goes.
Michael
Hi Steve,
Confirmed that when I add the service account and password to LI Authentication area, and than test successfully that after I log out, I can in fact log back in the exact same way I was before. Meaning just using username and not using domain with it at all.
So the bug is that authentication information is not maintained through the upgrade. Other things like users, or NFS config info is.
Michael
Interesting - so you upgraded from 1.5 GA to 2.0 beta and the binding username was removed from the authentication section, but the default domain was not?
ikiris - sorry for hijacking the thread, we are looking into your issue as well. My guess is it has something to do with your username containing an exclamation mark, can you try an AD user that does not have one in it?
Michael - can you send me a link to the support bundle for your instance?
ikiris - in addition to testing a user without !, can you also see if you might be experiencing the same as what Michael reported? Log in and go to Administration - Authentication and see if the binding user is defined. If not, define, test, save, and try to log in again. Let me know how you make out.
Binding user was there and tested. it was the same as the account with the !
I also got an error when trying to add an AD user that didn't have a !
AuthenticationException: Unable to get attributes for domain 'my.domain.net'.; AuthenticationException: Invalid or untrusted domain 'my.domain.net'; nameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=my,DC=domain,DC=net' ]
I hit 'yes' to continue to add and it didn't allow me in.
I get the same error as well. AD auth didn't work for me in 1.5 though either. My user passes a succesful test but fails at looking up groups or users to add to LI2.0
dominic7 - Please generate a support bundle and upload per http://kb.vmware.com/kb/1008525 (no need for SR just upload to a folder called dominic7)
They Support Assistant 2.0 doesn't have the right product to upload to, and the https://ftpsite.vmware.com won't accept a new folder name unless it's a 12 digit SR. It's only a 12M bundle so I could email it to you or... ?
Make up a support # and let me know what you choose
SR #
Logs, uploaded.
I'm having a similar issue as well. Never tried AD Auth previously, however I am trying to set it up now under 2.0. I get a similar java error in the logs when I try to add an AD user or group (Error while getting user attributes). The binding seems to work OK.
I have uploaded a support bundle under folder 932233883388
aussiebigkid:
* Does the binding username contain any special characters? If so, can you try one without?
* Is the binding user an administrator of the domain? If not, can you try one that is?
