VMware Cloud Community
nmedard
Enthusiast
Enthusiast

not able to login to vcenter server using windows domain controller Administrator account.

Hi All,

I wanted to experiment the new vceneter 5.5.  I created two VM

VM1 is for domain controller

VM2 is for vcenter(vcenter has been added to domain controller)

After installation of the vcenter I expected to be able to login using the Windows domain controller Administrator account, but was not allowed access to vcenter.  I was only able to login using the SSO Default Domain Administrator Account. 

Even after login(using SSO Default Domain Administrator Account and password), when I tried to add permission for windows DC account, it denied me access. 

Normally, the goal of adding the vcenter server to domain controller is not to be able to loging with Windows DC Administrator account?

Do anyone have the solution?

11 Replies
schepp
Leadership
Leadership

Hi,

you need to login with your SSO admin and add your AD as identity source to your SSO. After that you can give your AD users permission on the vCenter:

vSphere 5.5 Documentation Center

Reply
0 Kudos
Burak201110141
Enthusiast
Enthusiast

Hello,
Can you check sso for your domain?

login your vcenter "admin@system-domain" and then go to Home>Administration>Sign-On and Discovery>Configuration

Check the default domains window, it must be here ( your domain )

if it doesn't exist add form Identity Sources tab.

Actually i wrote an article but it's turkish

İf you want to check this, link is here;
ESXi 5.x SSO – AD Domain Konfigurasyonu | Burak VARDAR

------------------------------------------------------------------ http://burakvardar.wordpress.com
Reply
0 Kudos
nmedard
Enthusiast
Enthusiast

I try to add add my windows domain as source  but it denied me access with the following errors:

""Call "UserDirectory.RetrieveUserGroups" for object "UserDirectory" on vCenter Server "vCenterServer1.test.local" failed."""

Reply
0 Kudos
Burak201110141
Enthusiast
Enthusiast

Can you share configuration steps as an image?
Did you add your domain to Identity source?
also please apply this KB.
I think it will be help you
VMware KB: Adding permissions for local users in vCenter Server 5.1 fails with the error: Call &quot...

------------------------------------------------------------------ http://burakvardar.wordpress.com
Reply
0 Kudos
nmedard
Enthusiast
Enthusiast

I forgot to tell you that I was trying to access the vcenter(using Windows DC Administrator) via vsphere client and it did not work.

I just tried to access it via web client and it works fines for both the windows DC Administrator account and the SSO Administrator account

Is the problem on the vsphere client>?

Reply
0 Kudos
Burak201110141
Enthusiast
Enthusiast

I think, problem is authentication medhod

Can you try below?

Username: DOMAIN_NAME\USER_NAME format

Can you share error screen as an image please?
Thank you

------------------------------------------------------------------ http://burakvardar.wordpress.com
Reply
0 Kudos
nmedard
Enthusiast
Enthusiast

The following was used and I was able to login via the web client.

1. Administrator@test.local     - Windows domain account

2. Administrator@vphere.local - SSO domain account

3. Administrator                      - The local windows server Administrator account of the server where vcenter was installed. 


Only the SSO domain gives me all the component of the Administration tap in web client, see below.  It is only on the SSO Admin that I can view host added.  This is not visible on the windows AD Administrator account. 

Administrator@vsphere.local.jpg

Using the SSO Administrator, I look in the "Configuration" in the Administration tab, as identity source I can see that my Windows Domain is present. refer to picture below(test.local is my windows AD)

IdentitySource under SSO Admin account.jpg


I have tried (using the SSO Adminitrator) , to select another domain under "vCenter Users and Groups" in the Administration tab(to choose my windows AD), but the following errors appeared :

""Error: Idm client exception: Failed to establish server connection"".


Even the local administrator account(where vcenter has been installed) can be selected without any errors but however not options like host added, etc is visible. 


To summarize, only with the SSO Admin that I can have all the options and mange my vcenter in the Web Client


Why using the Windows Ad Administrator account, I cant have all optionn found in the SSO Admin?

Reply
0 Kudos
VirtuallyMikeB

You'rere almost there.  This is all by design - the SSO Admin will be the only admin user by default.  Since you already have your domain as an identity source, finish up by adding a user or group from test.local (or your local server admin account) as an administrator in the SSO configuration.

----------------------------------------- Please consider marking this answer "correct" or "helpful" if you found it useful (you'll get points too). Mike Brown VMware, Cisco Data Center, and NetApp dude Sr. Systems Engineer michael.b.brown3@gmail.com Twitter: @VirtuallyMikeB Blog: http://VirtuallyMikeBrown.com LinkedIn: http://LinkedIn.com/in/michaelbbrown
Reply
0 Kudos
Burak201110141
Enthusiast
Enthusiast

Hello,
I will explain step by step for you

1- Verify your domain in your sso configuration
vc1.JPG
2- Log-in you vcenter with administrator@vsphere.local and go to permission tab top level
vc2.JPG


3- Add permission
vc3.JPG

4- Set Permission

vc4.JPG

5- Check with vsphere client or web client, and go to session and verify

vc6.JPG

Thats all

I think resolve your problem finally Smiley Happy

------------------------------------------------------------------ http://burakvardar.wordpress.com
nmedard
Enthusiast
Enthusiast

Hi Burak,

thx for your help.

however, in step 3, i used vsphere client, when I tried to chance my domain to my Windows AD, it says this error

"Call "UserDirectory.RetrieveUserGroups" for object "UserDirectory" on vCenter Server "vCenterServer1.test.local" failed."

Reply
0 Kudos
Burak201110141
Enthusiast
Enthusiast

Ok bro, Can you apply steps below;

1- log-in administrator@vsphere.local
2- go to sso configuration
3- remove your active directory domain from sso configuration
4- add new identity source

5- Careful this step ! please select active directory integrated windows authentication, type domain name correctly,  and please select "use machine account"

vc7.JPG

6- Apply steps from my previous snapshot steps.

7- restart vcenter services
8- I think it will be ok

Thank you

------------------------------------------------------------------ http://burakvardar.wordpress.com
Reply
0 Kudos