vCenter 6.5 permissions not applying to Active Dir...

MikeStanton · ‎04-11-2017

I'm having trouble using an Active Directory group to give permissions to objects in vCenter. I can add groups and users from Active Directory to the permissions in vCenter. However, if I only use an Active Directory group, when the user account that's a member of that group logs into the Web Client ( Flash or HTML5), the inventory in the navigation panes don't work (stuck Loading), and accessing different sections results in "Permission Denied" errors.

But if I add that same user explicitly on the vCenter permissions, everything works as expected. It would be ideal that user permissions management could all be handled by the Active Directory server, instead of having to manually grant each user permissions in vCenter. Any ideas what's going on here?

The setup:

External PSC using vCSA

Identity Source added to External PSC

vCenter 6.5 installed on Windows Server 2012 r2 w/ SQL Server 2014

Active Directory group added to "Administrators" group on PSC

Active Directory group added to Permissions tab in vCenter with Administrator Role and Propagate Child Objects enabled.

Also, I've created test groups of both Global and Domain Local security types without success.

mavatko · ‎05-09-2017

I had same problem, when using integrated authentication with vcsa, although some groups were working and some not.

Switching to ldap bind (Active Directore as an LDAP) solved the issue

d.

mjovanovic · ‎06-15-2018

It sounds like you´re using Distribution groups in AD instead of Security groups. You need to be using SECURITY groups for this.

Cheers, www.matscloud.com @matjovanovic VCIX6-NV

All

vCenter 6.5 permissions not applying to Active Directory Groups