VMware Cloud Community
MatthewGagliard
Contributor
Contributor
‎12-30-2015 06:06 AM

SSO-AD integration issue?

I ran into an interesting situation yesterday and I'm wondering if anyone else has seen something similar...

  • ESXi 6
  • vCenter 6 (U1 to be specific)
  • vCenter hostname "<domain>.<domain>.tst"
  • Domain name "<domain>.tst" with NetBIOS name "<domain>".
  • SSO naming conforms to guidelines (SSO domain isn't the same as the domain name...it's the standard vsphere.local).

  I successfully joined the VCSA to the domain and then added the AD (integrated) as an identity source and made it the default.  Everything was looking OK.  When I attempted to add a group from the AD to  **Global** permissions it worked fine...I was able to actually browse the AD groups (identified in the drop-down as "<domain>.tst") and add them as necessary.  BUT when I went into vCenter permissions and attempted to add the group there it failed (didn't matter if it was at vCenter, host or VM level) in a really odd way...the drop-down menu for selecting the source didn't identify the domain as "<domain>.tst" but rather just "<domain>", the NetBIOS name.  And when I selected that option the groups and users that were listed were the same as the LocalOS identity source (which is "<domain>.<domain>.tst").  The options listed in the drop-down (non-Global) are "<domain>.<domain>.tst" (the vCenter server), "VSPHERE.LOCAL" and "<domain>".

  I don't believe I violated any of the recommendations (certainly not any of the ones I've seen) for deployment.  I'll stipulate that it's probably odd to have the domain named the same thing as the vCenter but the domain in this case was stood up specifically for a test environment that is hosting the vCenter...the sole purpose for the domain *is* the vSphere environment (so there is a bit of logic).  It looks like there may be some confusion on the backend around NetBIOS names.

  Anyone seen anything like this or come across warnings about not setting it up this way?

*** EDIT ***

So...this definitely seems to be either a "bug" or a missing/hidden piece of documentation.  I want to emphasize again that the SSO domain was *definitely* named differently than the Windows AD domain.  I killed my original <domain> and built a new one which didn't share a hostname with the vCenter (VCSA) server.  Now things are working as desired not only in the Global permissions but also in the vCenter (and below) permissions.  I can successfully select the domain (identified by its NetBIOS name in the UI) and add groups, etc.

Message was edited by: MatthewGagliardi to include "fix" information.

0 Kudos
0 Replies