VMware Cloud Community
VMCHIS
Enthusiast
Enthusiast
‎12-13-2013 11:57 AM

Appliance v5.5.0a and SSO and AD Group Authentication

Hi,

I just setup a new vCenter Server Appliance v5.5.0a and need to use AD groups to do the authentication.  I have a service desk group that I want add to the vcenter permissions.  I am a little confused on how to do this with the appliance.  All my experience has been with Windows vCenter up to know and I have never had an issue.  The VCSA is joinded to DOMAINA.  I have a group GROUPA in DOMAINA that is a Security Group - Domain Local group.  Members are from 4 different domains.  What do I need to do to get this GROUPA groups working, so that anyone that is a member of that group can login.  I tried adding that group to the vCenter permissions and when I login with a user, it states I do not have permission.  If I add that same user explicitly, I can log in with no errors, so I know the profile is correct.

I am a little confused on how SSO works with AD groups.  What do I have to create and where?

Thakns for your help.

Sean


0 Kudos
3 Replies
VMCHIS
Enthusiast
Enthusiast
‎12-23-2013 06:21 AM

anyone have any ideas?

I am so confused how this SSO works with group authentication.

0 Kudos
ldesfontaines
Enthusiast
Enthusiast
‎12-23-2013 07:59 AM

Hi,

You stated that DOMAINA\GROUPA contains user that are not member of DOMAINA. But, when declaring a user directly, it works. That means that, SSO works correctly, or at least, as expected.

Your "problem" is in fact an expected behavior of SSO 5.5. Nested groups are not recognized anymore. That means that Groups of DOMAINA have to contain members of DOMAINA. If you want user from DOMAINB to be recognized, declare them directly or use groups from DOMAINB with users from DOMAINB.

You should have a look at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=205952...

This is not exactly your problem but seems to be related.

Hope it helps.

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful.
0 Kudos
VMCHIS
Enthusiast
Enthusiast
‎12-24-2013 10:35 AM

Thanks.  Way to go VMware.  Lets take away functionality.  Now I have to create my special groups in 5 different domains, to do the job of one group before in 5.0.

0 Kudos