VMware Cloud Community
Phil52
Contributor
Contributor

ID Source Change

My company is scheduled to update our domain controllers and with this update it disables insecure connections. It was originally setup as AD (Windows Integrated Authentication). Long story short, we removed that ID source added AD over LDAP. One of my concerns was it would remove the domain accounts that have been added, I was informed by VMware that would not be the case, and sure enough at the time of the change all worked as expected, connections were fine, people able to log in etc.

Roughly 24 hours later, all domain accounts were removed, only local accounts not impacted.

Has anyone experienced this before? Is there some sort of sync that happens? Anyway i could have avoided this? any info would be great because I am at a loss.

vCenter version is 6.7.0

Thanks

4 Replies
Lalegre
Virtuoso
Virtuoso

Hey @Phil52,

When you add the AD over LDAP configuration it asks you for the Distinguished Name of the Base path where you will start scanning. Did you use the full domain for that path or just an specific OU?

Reply
0 Kudos
Phil52
Contributor
Contributor

Hello @Lalegre 

We used the the full domain for users, and an OU for groups. 

All was working after we added the ID source back as LDAP instead of IWA. Until the next day, one of my system admins was able to log into vCenter but lost access to do anything. Looked at the permissions and all the users that were assigned were gone.

Thanks 

Reply
0 Kudos
Phil52
Contributor
Contributor

So I have a lab and tried to recreate the issue, I removed the ID source which wash LDAPS, and used WIA. Left it like that for a day or 2, then flipped it back to LDAPS. All accounts that are in the lab stayed and did not clear out, did the exact same thing i did in our prod environment. Both vCenters are running the same version, the only main difference is our prod is setup with enhanced linked mode with two other vCenters. 

 

At a later date ill probably deploy another vCenter in the lab and setup linked mode and try it agin. 

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

I presume this issues is related of changing the Identity Source but VMware confirmed you that nothing would happen. However I would advise you to reach them again and comment the issue you faced so they can also test on an environment as it could be a bug on the version of something not expected.

Reply
0 Kudos