If I make a clone of the Administrator account, it says authentication fails.
if I move the Administrator account to a different OU and change the bind DN accordingly, authentication fails.
What am I missing?
Single 2008R2 DC
basedn(dc=atat,dc=lab)
binddn(cn=administrator,cn=users,dc=atat,dc=lab)
works...
but..
basedn(dc=atat,dc=lab)
binddn(cn=administrator,cn=service accounts,dc=atat,dc=lab)
What am I missing?
I assume your Service Account is an OU and not a CN..
Try this one: cn=administrator,ou=service accounts,dc=atat,dc=lab
Negative.
cn=administrator,cn=users,dc=atat,dc=lab
works
cn=administrator,ou=users,dc=atat,dc=lab
does not work
If I move administrator to a new OU, neither cn or ou works. I tried building a fresh 08R2 and 2012 Domain Controller and the administrator account is still the only one that will work for bind.
We were suspecting if you are running into a duplicate user on HWS.
Basically, you used administrator from first OU, this creates a user with name administrator in HWS.
Then, you switch to a different OU, This will try to create a new user with name administrator again in HWS. This is probably throwing an error.
Can you check if the service-va or connector-va have any logs?
service-va: /opt/vmware/horizon/horizoninstance/logs/horizon.log
connector-va: /opt/vmware/c2/c2instance/logs/connector.log
I believe I've tried with OU before it accepts it with CN, but could be mistaken. I'm redeploying currently and will monitor those logs with the other accounts and report back soon.
cn=horizon,ou=users,dc=atat,dc=lab
didn't work
cn=horizon,cn=users,dc=atat,dc=lab
didn't work
cn=administrator,ou=users,dc=atat,dc=lab
didn't work
cn=administrator,cn=users,dc=atat,dc=lab
works
accidentally went through the ldap step, redeploying to capture log.
Heres the log file: http://pastebin.com/V64Udwry
From the log looks like for "cn=horizon,cn=users,dc=atat,dc=lab" ldap returned with "invalid credentials". The ldap error code from the log says "Returns when username is valid but password/credential is invalid."
Was this the same error for all the other accounts that were tried as well?
looks like my reply didn't take. The issue ended up being in the way Windows creates CNs for an account. If you create an account, only specifying the account name, the CN is created as the account name. If you create the account and specify the first and last name (Horizon Workspace requirement), then the CN is created using the account's defined firstname lastname fields.