I wanted to experiment the new vceneter 5.5. I created two VM
VM1 is for domain controller
VM2 is for vcenter(vcenter has been added to domain controller)
After installation of the vcenter I expected to be able to login using the Windows domain controller Administrator account, but was not allowed access to vcenter. I was only able to login using the SSO Default Domain Administrator Account.
Even after login(using SSO Default Domain Administrator Account and password), when I tried to add permission for windows DC account, it denied me access.
Normally, the goal of adding the vcenter server to domain controller is not to be able to loging with Windows DC Administrator account?
Do anyone have the solution?
Can you check sso for your domain?
login your vcenter "admin@system-domain" and then go to Home>Administration>Sign-On and Discovery>Configuration
Check the default domains window, it must be here ( your domain )
if it doesn't exist add form Identity Sources tab.
Actually i wrote an article but it's turkish
İf you want to check this, link is here;
ESXi 5.x SSO – AD Domain Konfigurasyonu | Burak VARDAR
I try to add add my windows domain as source but it denied me access with the following errors:
""Call "UserDirectory.RetrieveUserGroups" for object "UserDirectory" on vCenter Server "vCenterServer1.test.local" failed."""
Can you share configuration steps as an image?
Did you add your domain to Identity source?
also please apply this KB.
I think it will be help you
VMware KB: Adding permissions for local users in vCenter Server 5.1 fails with the error: Call "...
I forgot to tell you that I was trying to access the vcenter(using Windows DC Administrator) via vsphere client and it did not work.
I just tried to access it via web client and it works fines for both the windows DC Administrator account and the SSO Administrator account
Is the problem on the vsphere client>?
I think, problem is authentication medhod
Can you try below?
Username: DOMAIN_NAME\USER_NAME format
Can you share error screen as an image please?
The following was used and I was able to login via the web client.
1. Administrator@test.local - Windows domain account
2. Administrator@vphere.local - SSO domain account
3. Administrator - The local windows server Administrator account of the server where vcenter was installed.
Only the SSO domain gives me all the component of the Administration tap in web client, see below. It is only on the SSO Admin that I can view host added. This is not visible on the windows AD Administrator account.
Using the SSO Administrator, I look in the "Configuration" in the Administration tab, as identity source I can see that my Windows Domain is present. refer to picture below(test.local is my windows AD)
I have tried (using the SSO Adminitrator) , to select another domain under "vCenter Users and Groups" in the Administration tab(to choose my windows AD), but the following errors appeared :
""Error: Idm client exception: Failed to establish server connection"".
Even the local administrator account(where vcenter has been installed) can be selected without any errors but however not options like host added, etc is visible.
To summarize, only with the SSO Admin that I can have all the options and mange my vcenter in the Web Client
Why using the Windows Ad Administrator account, I cant have all optionn found in the SSO Admin?
You'rere almost there. This is all by design - the SSO Admin will be the only admin user by default. Since you already have your domain as an identity source, finish up by adding a user or group from test.local (or your local server admin account) as an administrator in the SSO configuration.
I will explain step by step for you
1- Verify your domain in your sso configuration
2- Log-in you vcenter with email@example.com and go to permission tab top level
3- Add permission
4- Set Permission
5- Check with vsphere client or web client, and go to session and verify
I think resolve your problem finally
thx for your help.
however, in step 3, i used vsphere client, when I tried to chance my domain to my Windows AD, it says this error
"Call "UserDirectory.RetrieveUserGroups" for object "UserDirectory" on vCenter Server "vCenterServer1.test.local" failed."
Ok bro, Can you apply steps below;
1- log-in firstname.lastname@example.org
2- go to sso configuration
3- remove your active directory domain from sso configuration
4- add new identity source
5- Careful this step ! please select active directory integrated windows authentication, type domain name correctly, and please select "use machine account"
6- Apply steps from my previous snapshot steps.
7- restart vcenter services
8- I think it will be ok