AndyR8939
Enthusiast
Enthusiast
‎07-17-2013 04:33 PM

SSO - Moving user to another OU breaks SSO

Hey all,

Have been using vCenter 5.1 with SSO for about 6 months now without issues.  Today though I have been testing some new GPO changes I need to make and realized my users were still in the default Users folder in AD so I can't applied user GPOs to them.  Not a biggy so I created a new OU and moved myself into a new Admin AU and created a test user into a new users OU, and so far all seemed fine, until i tried to log into my vSphere Client.

Now when I logon with Windows Credentials I can't connect as it says incorrect user or password.

When I look at the SSO settings for my Active Directory Identity Source I realized its because I have pointed it to the CN=Users,DC=mydomain,DC=local but the users I just moved out now don't work.  So my question is, do i need to create another identity source for my new OU and for each one so have multiple Identity Sources for CN=Admins,DC=mydomain,DC=local and CN=NewUsers,DC=mydomain,DC=local or would I be better of just going with something like DC=mydomain,DC=local for the BaseDN in a single identity source?

And if I created a OUs below OUs does the SSO identity source go down multiple levels yeah?


Thanks,

Andy

Reply
0 Kudos
raog
Expert
Expert
‎07-17-2013 09:34 PM

For my setup, i use DC=mydomain,DC=com and it works

Regards

Girish

To Virtualization and beyond! PS::If you felt the answer as helpful, please mark it as helpful/answered so that it helps other users as well! Blog:: www.virtualtipsntricks.com

View solution in original post

Reply
0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-18-2013 02:51 AM

Hi All Smiley Happy

IMHO, I think that u can use CN=OU_Name,DC=domain,DC=com and that OU contains all of vCenter admins and users in ur enviroment..
I never tested that, but I think it goes levels down..I.e. if u have another OU inside, its users will be contained..

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
Reply
AndyR8939
Enthusiast
Enthusiast
‎07-18-2013 01:23 PM

Thanks both.  I'll probably set it up like roag said and just point it to DC=mydomain,DC=com because I don't need to control access at the SSO level more than that, because vCenter access is all controlled by AD groups on there anyway, so it'll make it easier have it referencing my whole domain anyway.


Thanks guys!

Reply
0 Kudos