I have a customer who wants to use AD groups for vCloud Director authentication, as in their private cloud they have specific OUs for Organisational LDAP lookups.
Obviously, users cannot be members of several OUs within the 2008 AD, so they are using global security groups instead of individual users in these OUs, then importing these groups via the LDAP sync into vCloud organisations.
Only problem is that when assigned a role by the Org Admin (i.e. vAPP User), they cannot login to their organisation using AD credentials.
I found this KB article which I assume is the issue, but it's not clear on the steps and implications of using it's workaround for getting group authentication to work. Any thoughts / suggestions?
Global Catalog is LDAP port 3268, and doesn't carry all the information required by vCloud Director to successfully create users in an environment.
The two common ports are 389 (LDAP) and 636 (LDAP secured).
In your organization, using the organization specific LDAP configuration, are you able to import a specific user directly? This is just to test of vCloud can copy data.
Then ensure that the users know to login with the username as specified in that web page. This should correspond to the Username field of the LDAP configuration.
Hopefully that gives you some guidance.
I am having the same issue. I configured LDAP to use Kerberos and even went through the work of creating an SSPI service principal name and keytab. I can import users and groups but can't get any LDAP accounts to authenticate at the org level or the global config level. We have a sub-domain in our forest that contains all of the user accounts for our environment (25K users, 250K+ groups). I also noticed the issue where groups do not display any users until those users are manually imported.
Without LDAP working I looked at using SSO. Unfortunately when I enable SSO it gives me the following error when I go to the VCD URL:
Problem accessing /cloud/saml/HoKSSO/alias/vcd. Reason:
Error determining metadata contracts
To get back into vCD I have to manually specify login.jsp at the end of the URL (https://FQDN/cloud/login.jsp)
SSO is working for vCenter logins so I am not sure what to do with authentication options for vCD. I am also running vCD 126.96.36.1998405 with the latest version of vCenter 5.1.
I have the same issue and have a case open with VMware but have received little to no response. It looks like something to do with metadata from the STS... Either that or something causing that exception... I am seeing this in the error as well... The VMware tech seemed stumped on this one...
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for issuer https://servername.domain.com:7444/STS wasn't found
SSO is not LDAP in the case of vCloud director. If you are using SSO, then the SSO server is the authentication and identity source.
If you use LDAP in vCloud Director, we are going to that.
So just be aware that vCloud uses one or the other, not both.
It doesn’t matter what credentials I use for this… I get the same error EVERY time… I can make this error happen anytime… There is nothing about it anywhere that I can find… No KB’s, Google, Yahoo, Bing… We can’t be the only people who have ever had this issue… I would just like to see support do something on it…
for the HoK, holder of key error of SSO ... make sure your public addresses in vCloud are completed correctly. This needs to be done before registering to the lookup service.
also, make sure that the lookup service has correct and resolvable names, vCloud pulls data from the lookup for forwarding purposes.
if you want ot know what data we pulled, go into the vcloud database and:
select * from config where name like 'lookup%';
If these addresses have incorrect/bad data, like an improper FQDN, then you need to fix the lookup service.
Small heart attack this morning, trying to log in to a brand new build and getting this error. The /login.jsp "trick" saved me. Will likely open a ticket, as well, in the meantime, and see if this creates momentum withing VMW to patch/fix this. Anyway, thanks for the post/help.
I had the same issue and after unchecking use SSO as the identity source, the error went away. I had ldap configured and had SSO checked as the identity source, under Administration/Federation
mikwakin ... if you have an issue, please start a new thread for it.
LDAP and SSO are two completely different websites for the purposes of logging into vCloud Director and are mutually exclusive.