- VMware Technology Network
- :
- Cloud & SDDC
- :
- vCenter
- :
- VMware vCenter™ Discussions
- :
- VCSA SSO multidomain setup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VCSA SSO multidomain setup
I'm trying to setup SSO with no success so far. running latest vcenter (standard) patches/updates and esxi5.5 latest (both as of 1 Oct 2014)
embedded db and sso.
From the root vcsa login (port5400) AD is NOT checked. I've tried to authenticated for connection, but it's been a no-go.
From the vsphere.local login (port9443) web client, sso configuration Identity sources. I've successfully added two AD domains: wwdomain and domain2. The VCSA is on a third domain (domain3).
One way trusts are setup and Domain2 and Domain3 both trust wwdomain but do not trust each other. (wwdomain doesn't trust either domain2 or domain3).
The Defualt domain I wish to have VM admins to use for SSO into vcenter is wwdomain (identity source 2 below), as that is what they use to logon to their officespace PCs.
Identity Source1 (domain2)
base dn for both users & groups: DC=domain2,DC=geolocation,DC=researchdivision,DC=corporatename,DC=com (I couldn't get it to test connect successfully if I didn't fall back to this level)
primary server url: ldap://domain2DC.domain2.geolocation.researchdivision.corporatename.com
username: domain2\$vcentersso
Identy Source 2 (wwdomain)
Base DN: OU=US,OU=Users,OU=Accounts,DC=wwdomain,DC=corpname,DC=net
primary server url: ldap://zzzzz.wwdomain.corpname.net (I determined this by %logonserver% when logged on to my officespace pc with corp wwdomain creds)
Here's more to add to the catchbox.. AD and DNS are different. ie, at the server level, I can join the AD domain of domain2 but when I do an nslookup IPADDR, dns will return with vcenterx.corpname.com
At the officespace level, an office pc will return with wwdomain.corpname.net (yes we use both .com and .net)
when using the checkbox for Use Windows session authentication (in browser)
I've received multiple errors & due to current IE11/Chrome and client plugin compatability issues, I've even tried a slightly older version of Firefox.
Using Win8,1/Firefox v32: "The authentication server returned an unexpected error: ns0:RequestFailed: IDM threw unexpected error during authentication :: Native platform error [code: 1213][ERROR_INVALID_SERVICENAME][]. The error may be caused by a malfunctioning identity source."
On a laptop with Win7 and IE10 the client plugin functions properly.
Manually entering domain credentials yields 2 possible errors (checkbox not checked)
Using Win7/IE10 with client plugin installed:
Using my global domain creds (wwdomain/gustafson) - "The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source."
Using my devel domain creds (domain2/gus) - "Provided credentials are not valid."
Anyone have suggestions for how this should truly be setup?
Message was edited by: EricGustafson updated ldap server for source1. orig source was EnterpriseDirectory. I'm now pointing to AD on a different port. When testing the connection I get an error that simply says "token".