VMware Workspace ONE Community
cdubz
Enthusiast
Enthusiast
Jump to solution

Identity Manager 2.7 Sync issue with Horizon view 7.0.2 pools

Got IDM to sync the Desktop pools of our environment into the App Catalog but it won't sync the entitlements with it.  looking though the sync status I see errors like this:

Failed Sync Action: Could not entitle group with Id e1d44a4e-824f-481a-9f7e-d7a3cda6eb08 to resource Windows 10 General Purpose. Reason: group.not.found


Seems really weird seeing as the AD security groups that are entitled to these pools are being synced into IDM fine.


Anyone else run into this issue?

1 Solution

Accepted Solutions
jwininger
Enthusiast
Enthusiast
Jump to solution

We found that global entitlements to AD groups don't sync with IDM 2.6, 2.7, or 2.7.1.  I opened a case with VMware and was provided a patch that resolves the issue.  The appliance now shows as 2.7.1.1.  The issue is supposed to be resolved IDM 2.8. 

View solution in original post

Reply
0 Kudos
9 Replies
jwininger
Enthusiast
Enthusiast
Jump to solution

We found that global entitlements to AD groups don't sync with IDM 2.6, 2.7, or 2.7.1.  I opened a case with VMware and was provided a patch that resolves the issue.  The appliance now shows as 2.7.1.1.  The issue is supposed to be resolved IDM 2.8. 

Reply
0 Kudos
cdubz
Enthusiast
Enthusiast
Jump to solution

Thanks for the update.  That does appear to be what the issue is.  As soon as I entitled the pool directly to a user it imported fine into IDM.  Very strange that there is no published KB on this as that is a pretty big bug.  Do you happen to have your SR number handy that I can pass along to VMware support on our SR for reference?

Reply
0 Kudos
jwininger
Enthusiast
Enthusiast
Jump to solution

It was SR 16213711508.  I don't know why there isn't a KB on this...as no one could be running this feature in production with this kind of bug.

Reply
0 Kudos
chadc1979
Enthusiast
Enthusiast
Jump to solution

Was having the same issue, I found if I add the groups that users are in to the directory config and then sync the view pools it works. No patch needed so far. Now if I could figure out how to log in using a UPN rather than username I'd be golden.

Reply
0 Kudos
jwininger
Enthusiast
Enthusiast
Jump to solution

In our case the groups were configured to sync in the directory config.  For regular pool entitlements, everything synced without issue.  However, global entitlements wouldn't sync with IDM.  VMware support confirmed it is a bug. 

Reply
0 Kudos
chadc1979
Enthusiast
Enthusiast
Jump to solution

and I'm on a it tonight lol, change the PasswordIdpAdapter SAML Name-Id Format to UserPrincipalName

Reply
0 Kudos
chadc1979
Enthusiast
Enthusiast
Jump to solution

Aww, good to know

Reply
0 Kudos
cdubz
Enthusiast
Enthusiast
Jump to solution

I actually tried that method as well @chadc1979 , and it actually did not work for me, even for a fresh install of the IDM appliance. Definitely seems flaky at best for the time being.      

Reply
0 Kudos
cdubz
Enthusiast
Enthusiast
Jump to solution

Found a workaround after upgrading to 2.8 and still having the issue.  If i change the AD groups to a Universal security group versus a global security group it will sync the entitlement of the group in Identity Manager.