- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5.5 SSO AD Group Authentication
Lots of SSO discussion here...
Anyway, I seem to be having a slightly different problem than the others I have been seeing. When I give admin rights to my vcenter instance to "domain admins", which my account is a direct member of, I can not log in. When I give my domain admin account direct permissions to the vcenter instance I can log in no problem.
Anyway, my environment is 2008r2, everything is up to 2008 functional levels, vCenter is installed into a fresh 2008r2 instance.
Anyone else seeing this behavior? Any suggestions? I will be doing more testing.
MR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, bumping around trying different things. I removed my domain admins account from a the one group with a "_", with no love. I noticed that account is a member of about half a dozen accounts that contain "-". I setup another account that is not a member of any of those "-" groups and added it to domain admins. I get love on this new test account, it is not been assigned direct permissions.
So I am learning at least my in my instance it appears there are issues with "-"'s in group membership for SSO accounts. Is "-" non-ascii? Researching that now.
So it appears I am having issues similar to the following thread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it does appear that "-" is acii. Another thought, my DA account is a member of 13 groups. I wonder if I can break my test account by adding it to more groups?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm, so I added the test account to the same number of groups as well as adding it to a group that contains a "-". It still works. Maybe default group?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, getting some love. The test accounts primary group was set to "domain users", the DA account's primary group was set to "Domain Admins". When I changed the DA's primary group to "domain users" it was able to log in. So... Still somewhat confused here, why should it matter? What is the difference?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, just for testings sake I made my DA account's primary group "domain admins" again. I can still log in...
I don't like problem resolutions that don't make sense and I can't replicate... What am I missing here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im seeing this problem as well when AD is configured as "Windows Integrated - machine account". When I configure AD with SPN, I cannot add any users or groups as I get the "cannot load users from this domain" message. If I configure AD via the AD as LDAP method then we get the "client cannot authenticate with inventory service" error.
I don't have the solution (yet), but you are not alone, SSO 5.5 certainly has issues.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having very similar problems.