VMware Cloud Community
zach1008
Enthusiast
Enthusiast

AD Authentication works for some but not all users

I have setup a vCenter server and added one host.  The ESXi 5.1 host is joined to the domain  and so is the Windows 2008 R2 server that vCenter is installed on.  I have setup about 35 users from AD with permissions in the vCenter server with access to certain virtual machines.  About half the accounts can login using windows credentials and/or their domain account.  The other half of the users are not able to get logged in at all.  We have dug through all the accounts and cannot find any differences in them on the AD side or the vCenter side.  Any thoughts or suggestions are greatly appreciated as this is having a direct impact on usability.

Reply
0 Kudos
11 Replies
DavoudTeimouri
Virtuoso
Virtuoso

Hi,

What is your SSO configuration, are you using a separate SQL DB for SSO?

Restart your SSO services on vCenter server and then restart your vCenter services or if it's installed on separate server, restart that and then restart others.

Davoud

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/
Reply
0 Kudos
zach1008
Enthusiast
Enthusiast

I have installed all on one server using the defaults.  I have rebooted the server to no avail.  Just restarted the services and tested with an account that cannot log in and it is still not working. I have removed the accounts from the permissions on vCenter and re added them a couple of times as well. I get a message that states "Cannot complete login due to an incorrect user name or password" but the user can log into any domain computer as well as exchange or any other AD authentication based system without issues using the same username and password.

Reply
0 Kudos
DavoudTeimouri
Virtuoso
Virtuoso

Hi,

I had same problem and it's resolved by restarting SSO services also you should update your vCenter to latest update.

Davoud

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/
Reply
0 Kudos
zach1008
Enthusiast
Enthusiast

I have restarted the SSO service as well as ensured I have the latest updates for vcenter.  Still no love.  After digging I am thinking the vcenter may not be registered to the SSO even though it is all one server.  When I log into the web client using admin@system-domain and choose vcenter servers there are none listed or available.

Reply
0 Kudos
a_p_
Leadership
Leadership

Just a quick question. How many users accounts do you have in the AD? More than ~2,000?

André

Reply
0 Kudos
zach1008
Enthusiast
Enthusiast

Yes, I believe so.  This is not my domain directly so I am not sure but I know it is very large as it is at a local career college and users are kept after graduation.  When adding the AD accounts it finds the users just fine and adds them to the permissions I am setting up it is only an issue when the user attempts to log in.

Reply
0 Kudos
schepp
Leadership
Leadership

Have you checked the Identity Sources in the SSO configuration?

-> Login as admin@system-domain -> administration -> Sign-On and Discovery -> Configuration

Is the AD added as a standard domain? Check if the AD is configured correctly as identity source (Base-DN, etc. Maybe your Base DN is configured on a sub level DN where not all users are included)

@André: why ~2000? What kind of magical number is that? As we have vCenters here in ADs with waaaaaay more users in it.

Regards

Reply
0 Kudos
zach1008
Enthusiast
Enthusiast

The AD is added as what appears to be a standard domain.  The Base  DN for users is at the top of the domain, dc=beckfiled,dc=edu.  The connection tests successfully.  Like i mentioned, about 15 of 30 users can login using ad credentials without any issue.  The other half of the users get a message that the username or password is incorrect.  THis happens when checking the box to use windows session credentials or entering the domain\username and password manually.

Reply
0 Kudos
a_p_
Leadership
Leadership

why ~2000?

I had some situations in the past where API calls returned only a limited number of AD objects. This isn't a VMware issue per se, but if I remember correctly this issue also occurred with permissions and therefore might apply to SSO (ADAM) too!?

André

Reply
0 Kudos
zach1008
Enthusiast
Enthusiast

Any other thoughts on this?  The AD size is over 2,000 users.  Is it possible to change the timeout?  Why would some users work while other do not when all the users are in the same OU that are having issues?

Reply
0 Kudos
a_p_
Leadership
Leadership

... when all the users are in the same OU that are having issues?

How did you configure the AD Identity Source ("Base DN for users")?

André

Reply
0 Kudos