Solved: Re: Issue with New-VIPermission using VCSA 6

06dragon · ‎10-27-2015

Hi,

we just upgrade our Infra to vmware 6 using VCSA 6. Since it's a Linux appliance, it's not part of any domain.

We migrated our VM from old 5.1 version to 6, and using Get-VIPermission I got a backup of all VM's permissions in a XL. Now if I am using New-VIPermission to replicate same permissions, I am getting error that New-VIPermission can't find domain\username.

Using GUI if I just put user name with domain e.g. domain\username, I can add permission but if I just put user name and try to search in domain via selecting identity source I am getting same error (i.e. can't find user). So far, now we manually have to copy permission for each VM from XL and then go to GUI. Paste domain\username on users field and thus we are copying permissions.

Is there any alternate for New-VIPermission, that we can bypass searching in domain and just add the user-account?

Thanks in advance!!

Ashish

ccalvetTCC · ‎11-02-2015

Hi Ashish,

These issues could have many potential root causes, this is why as much details as possible will be needed to find the root cause.

It is possible to start investigation with the get-viaccount alone:

vSphere 6.0 Documentation Center

Please try:

get-viaccount –Domain “yourdomain”

get-viaccount –name “yourdomain\oneuser”

get-viaccount –name “oneuser”

Is it a large active directory domain? If it is the case then some potential root causes:

vCenter Settings>Active Directory settings. Maybe needed to increase the Active Directory Timeout or Disable the Query Limit.

Single Sign-on>Configuration>Identity Sources: “yourdomainname” identity source. If you are not using the Active Directory (Integrated Windows Authentication) maybe reduce the scope of the AD query by being closer to the “OU” containing your VMware yourdomain\users and test the connection. Ensure that the account has also enough rights to browse the domain.

In the same place check that “yourdomain” identity source is the default.

Blog: http://thecrazyconsultant.com/ | Twitter: @ccalvetTCC

View solution in original post

ccalvetTCC · ‎10-27-2015

Hi,

It doesn’t look like a PowerCLI limitation but instead a configuration issue linked to SSO.

Since it's a Linux appliance, it's not part of any domain.

This is not always the case, a vCenter Applicance can be joined to AD.

https://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.vcsa.doc/GUID-08EA2F92-78A7-4EFF-880E-2B...

It seems here that the issue is linked to the “default domain for vCenter Single Sign On”

Users who belong to a domain that is not the default domain must include the domain name when they log in.

https://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.security.doc/GUID-11E651EF-4503-43BC-91F...

So if you configure your domain as the identity source "default domain", it should be possible to find a user without having to type the full domain\username.

Note:
It will be interesting to see the format of the previous exported data. (anonymized obviously)
Was the previous VC and appliance or a Windows based vCenter?

Blog: http://thecrazyconsultant.com/ | Twitter: @ccalvetTCC

06dragon · ‎10-27-2015

Thanks for the reply Chris. Previous one was a Windows Based VC Server (vSphere 5.1). Here is the example of permissions :

VM Name	Permission
VM1	domain-name\user1; domain-name\user2; domain-name\user3
VM2	domain-name\user2
VM3	domain-name\user3; domain-name\user4

Now if I want to add permission for vm2, I am trying to read the XL :

$vm = get-vm VM2

$per = $worksheet.cells.item($intRow,1).value2

$vm | New-VIPermission -Role 'vm-user' -Principal $per -Propagate:$true

and that's where problem start. domain-name is our default domain.

However if I directly put domain-name\user2 in GUI in user field, I can add user. But if I write user2 and select identity source from dropdown I hit with the error that Call "UserDirectory.RetrieveUserGroups" for object "UserDirectory" on vCenter Server "VC Server Name" failed.

In case of PowerCLi error message is :

New-VIPermission : 10/27/2015 4:32:46 PM New-VIPermission Could not find VIAccount with name 'domain-name\user2'

New-VIPermission : 10/27/2015 4:32:47 PM New-VIPermission Value cannot be found for the mandatory parameter Principal

ccalvetTCC · ‎10-27-2015

Could you please provide all details on how is configured your environment? (anonimized)

More especially everything related to SSO and AD

Blog: http://thecrazyconsultant.com/ | Twitter: @ccalvetTCC

06dragon · ‎10-29-2015

Sure. We have 2 PSC (Platform Service Controller), 1 F5 Load Balancer and 1 VC Server for our new VC 6 Infra.

VC 6 is a VCSA.

Thanks

Ashish

ccalvetTCC · ‎11-02-2015

Hi Ashish,

These issues could have many potential root causes, this is why as much details as possible will be needed to find the root cause.

It is possible to start investigation with the get-viaccount alone:

vSphere 6.0 Documentation Center

Please try:

get-viaccount –Domain “yourdomain”

get-viaccount –name “yourdomain\oneuser”

get-viaccount –name “oneuser”

Is it a large active directory domain? If it is the case then some potential root causes:

vCenter Settings>Active Directory settings. Maybe needed to increase the Active Directory Timeout or Disable the Query Limit.

Single Sign-on>Configuration>Identity Sources: “yourdomainname” identity source. If you are not using the Active Directory (Integrated Windows Authentication) maybe reduce the scope of the AD query by being closer to the “OU” containing your VMware yourdomain\users and test the connection. Ensure that the account has also enough rights to browse the domain.

In the same place check that “yourdomain” identity source is the default.

Blog: http://thecrazyconsultant.com/ | Twitter: @ccalvetTCC

06dragon · ‎12-03-2015

Thanks for your answers Chris!!

We ended-up with putting permission manually, but the information you provided definitely reveals too many good things.

Thanks Again!!

Ashish

All

Issue with New-VIPermission using VCSA 6