johnkenny
Contributor
Contributor

Vcenter 6, problem with AD. "Error while extracting local SSO users"

I have just finished installing Vcenter 6 appliance, everything went well and I joined the appliance to the domain via the web client, administration, system configuration, nodes - manage.  That worked and I rebooted the appliance, then I added the AD as an identity source which also completed without errors.  But when I goto users and groups and select my domain to list users it wont list i just receive this error "Error while extracting local SSO users".


Any ideas how to resolve this, I have gone through the documentation several times to find what i missed but i've followed all the instruction as to join to the domain and add as identity source but it just wont list the users from the domain.


What is the SSO user?  Also I am using a domain account with Domain admin priviliges when joining the domain and adding the identity source.


Thanks


John Kenny

17 Replies
unsichtbare
Expert
Expert

"Error while extracting local SSO users" seems to point, not to AD, but to the local SSO. SSO Users are the users in vsphere.local, or whatever you called it on deployment.


VMware, in their quest to create more acronyms and name for the same products, has created PSC, which contains vestigial SSO. We couldn't just call an Apple an Apple!


So far, our only complaints about vSphere 6 & VCSA 6 relate to flakiness with authentication. Issues just like this!


One thing that occurs to me: VCSA takes like 20-30 minutes to reboot! Maybe SSO isn't fully initialized.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos
johnkenny
Contributor
Contributor

So what could be wrong with the Vsphere.local users?  Or is it just a bug?

Thanks

JK

0 Kudos
howardtopher
Contributor
Contributor

I am receiving this exact same error.  The only difference is that I'm using an OpenLDAP source instead of AD.  I never could get AD to work in 5.5, so I'm attempting LDAP this time around.

My OpenLDAP source added fine, and the button to test the connection comes back with a success message.  However, on the users page, when I select the domain from the drop down it thinks about it for a minute and then I get that error message, "Error while extracting local SSO users".

Edit to add: The local SSO is working, as the account I'm using to login normally is in the vsphere.local domain.

0 Kudos
jkasalzuma
Enthusiast
Enthusiast

I am using the vCenter Appliance and I got the same error when I connected to AD using the "Active Directory (Integrated Windows Authentication). I was able to resolve my issue.

I fixed it by removing the AD identity source, re-adding AD using "Active Directory as an LDAP Server", testing the connection, clicking "OK" after it passed the test  and immediately rebooting the vCenter appliance.

Once the Web Client was accessible again, I made sure SSO could see the AD objects by going to Single Sign-on > Users and Groups and selecting my domain from the drop down. I could then see all the AD objects and the error did not appear again.

I should also note, I created a service account with Domain Admin rights for the LDAP connection authentication. Not sure if this was required, but this is a Lab and I decided to kill a fly using a nuke so I can get up an running quicker. I would not recommend using a domain admin for a prod environment.

0 Kudos
snekkalapudi
VMware Employee
VMware Employee

I hit into the same issue today. Resolved it by adding the VCSA host as computer in AD Users & Computers After this, Web client is able to fetch users of AD which is set as an identity source.

-Suresh
win_E
Contributor
Contributor

Hello snekkalapudi

I've run into the same issue - "error extracting local so users". I've tried your resolution but still no joy. When you refer to vCenter Host, do you mean:

a. Windows machine that Vcenter is installed on

b. ESXi host on which the vCenter server appliance is running

c. vCenter server appliance VM (as a computer on AD)

Thanks

win_E

0 Kudos
snekkalapudi
VMware Employee
VMware Employee

Hi Win_E, I mean  vCenter server appliance VM (as a computer on AD)

-Suresh
0 Kudos
eagerzeroedthic
Contributor
Contributor

Hi,

Was anyone able to replicate this issue and resolve it?

I get this error when using Integrated Windows Authentication using either the local domain user or when using an SPN. I don't encounter this issue when I use AD integration using LDAP.

0 Kudos
eagerzeroedthic
Contributor
Contributor

I managed to recreate the issue and resolve.

Forward DNS was configured for the domain controller, but the PTR record was missing.

Once I created this, this resolved the issue.

My Fix: Verify Forward and Reverse DNS from the vCenter Appliance for the DC.

MMims
Contributor
Contributor

Excellent suggestion! This resolved my issue as well. Added PTR record for the AD server and everything is working now.

rkamalon
Contributor
Contributor

Faced similar issue and resolved by adding PTR records for AD and everything worked well. Thanks for all suggestions.

KoekeBE
Contributor
Contributor

The resolution of adding PTR records resolved the issue for me aswell. Thank you for the information!

fpoyer
Contributor
Contributor

Hi,

check your AD server, reboot if you can. the probleme is the connection between SSO and the AD controler, if it seems ok, reboot it, it should resolve the issue (just had the problem)

0 Kudos
fast5th
Contributor
Contributor

I also had this error but it had to do with a time sync issue. Once I got everything squared away and restarted vcenter I was all good.

0 Kudos
AlexGvmware
Contributor
Contributor

Struggled for weeks about this issue, I just found your comment an Voila... Thanks snekkalapudi is working fine now!!

For those people facing the same issue, check this list

* DNS PTR record must exists, also reverse DNS

* Open Web client as Administrator@vsphere.local... Go to Administration-System Configuration-Nodes-Select your PSC node- Manage- Active Directory- And Join it to domain (OU is optional), just like a windows machine

* Reboot PSC

* Now add the Identity Source-- Active Directory (Integrated Windows Authentication)-- Use Machine Account

* Restart browser

Voila!!!

0 Kudos
suritkumar
Contributor
Contributor

Hello Friends,

I had the similar issue and during investigation i have identified the the SPN name which i used for LDAP identity resource was not in use and because of that it was throwing this error message.

As soon as i have update the SPN by editing identity source ( LDAP Source server) it started extracting all domain users.

Thanks

Surit VatshSmiley Happy

0 Kudos
wptom
Contributor
Contributor

3 years later Smiley Happy, in my case, AD accounts expiration checking was helpful.

Accounts which were used to communication between Horizon and vSphere expired and disabled in AD.

Extending the expiration date for another period of time fixed it.

0 Kudos