I have just finished installing Vcenter 6 appliance, everything went well and I joined the appliance to the domain via the web client, administration, system configuration, nodes - manage. That worked and I rebooted the appliance, then I added the AD as an identity source which also completed without errors. But when I goto users and groups and select my domain to list users it wont list i just receive this error "Error while extracting local SSO users".
Any ideas how to resolve this, I have gone through the documentation several times to find what i missed but i've followed all the instruction as to join to the domain and add as identity source but it just wont list the users from the domain.
What is the SSO user? Also I am using a domain account with Domain admin priviliges when joining the domain and adding the identity source.
"Error while extracting local SSO users" seems to point, not to AD, but to the local SSO. SSO Users are the users in vsphere.local, or whatever you called it on deployment.
VMware, in their quest to create more acronyms and name for the same products, has created PSC, which contains vestigial SSO. We couldn't just call an Apple an Apple!
So far, our only complaints about vSphere 6 & VCSA 6 relate to flakiness with authentication. Issues just like this!
One thing that occurs to me: VCSA takes like 20-30 minutes to reboot! Maybe SSO isn't fully initialized.
I am receiving this exact same error. The only difference is that I'm using an OpenLDAP source instead of AD. I never could get AD to work in 5.5, so I'm attempting LDAP this time around.
My OpenLDAP source added fine, and the button to test the connection comes back with a success message. However, on the users page, when I select the domain from the drop down it thinks about it for a minute and then I get that error message, "Error while extracting local SSO users".
Edit to add: The local SSO is working, as the account I'm using to login normally is in the vsphere.local domain.
I am using the vCenter Appliance and I got the same error when I connected to AD using the "Active Directory (Integrated Windows Authentication). I was able to resolve my issue.
I fixed it by removing the AD identity source, re-adding AD using "Active Directory as an LDAP Server", testing the connection, clicking "OK" after it passed the test and immediately rebooting the vCenter appliance.
Once the Web Client was accessible again, I made sure SSO could see the AD objects by going to Single Sign-on > Users and Groups and selecting my domain from the drop down. I could then see all the AD objects and the error did not appear again.
I should also note, I created a service account with Domain Admin rights for the LDAP connection authentication. Not sure if this was required, but this is a Lab and I decided to kill a fly using a nuke so I can get up an running quicker. I would not recommend using a domain admin for a prod environment.
I hit into the same issue today. Resolved it by adding the VCSA host as computer in AD Users & Computers After this, Web client is able to fetch users of AD which is set as an identity source.
I've run into the same issue - "error extracting local so users". I've tried your resolution but still no joy. When you refer to vCenter Host, do you mean:
a. Windows machine that Vcenter is installed on
b. ESXi host on which the vCenter server appliance is running
c. vCenter server appliance VM (as a computer on AD)
Was anyone able to replicate this issue and resolve it?
I get this error when using Integrated Windows Authentication using either the local domain user or when using an SPN. I don't encounter this issue when I use AD integration using LDAP.
I managed to recreate the issue and resolve.
Forward DNS was configured for the domain controller, but the PTR record was missing.
Once I created this, this resolved the issue.
My Fix: Verify Forward and Reverse DNS from the vCenter Appliance for the DC.
check your AD server, reboot if you can. the probleme is the connection between SSO and the AD controler, if it seems ok, reboot it, it should resolve the issue (just had the problem)
Struggled for weeks about this issue, I just found your comment an Voila... Thanks snekkalapudi is working fine now!!
For those people facing the same issue, check this list
* DNS PTR record must exists, also reverse DNS
* Open Web client as Administrator@vsphere.local... Go to Administration-System Configuration-Nodes-Select your PSC node- Manage- Active Directory- And Join it to domain (OU is optional), just like a windows machine
* Reboot PSC
* Now add the Identity Source-- Active Directory (Integrated Windows Authentication)-- Use Machine Account
* Restart browser
I had the similar issue and during investigation i have identified the the SPN name which i used for LDAP identity resource was not in use and because of that it was throwing this error message.
As soon as i have update the SPN by editing identity source ( LDAP Source server) it started extracting all domain users.
3 years later , in my case, AD accounts expiration checking was helpful.
Accounts which were used to communication between Horizon and vSphere expired and disabled in AD.
Extending the expiration date for another period of time fixed it.