Rottcodd
Contributor
Contributor

No AD authentication after vCenter upgraded from 5.1 to 5.5

Jump to solution

I have just performed the above upgrade, to vCenter 5.5 (Windows) and am struggling to get AD authentication working.

After the upgrade the identity source relating to the Windows domain was present in the web client, and there were users listed. Unfortunately the list contained exactly 200 users from our AD (out of 2000) and did not contain any of the admins that need, and used to have, access to vCenter.

I added a DSN to the identity source and made it the default, but nothing has changed: integrated AD login fails.

I downloaded vCenter 5.5 several weeks ago so may not be on latest version, but I'm reluctant to upgrade UM until I cna get it to connect to VC using Windows creds.


1 Solution

Accepted Solutions
vNEX
Expert
Expert

which build of the vCenter Server do you have? first I would start to upgrade to the latest vCenter Server 5.5 Update 2b Release Notes

There was several bugfixes in the SSO authentication since 5.5 GA release one example is this KB article:

VMware KB: In a mixed vSphere 5.1/5.5 environment, logging in to the vSphere Web Client fails with t...

also have a look at this KB:

VMware KB: In a mixed vSphere 5.1/5.5 environment, logging in to the vSphere Web Client fails with t...

and verify resolution mentioned in community thread below:

https://communities.vmware.com/message/2353295
Our issue was that SSO seems to be working (browsing sso identity sources was possible) but login with a user from a AD-LDAP source wasn't possible.

Solution for us:

we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!

-> active directory as ldap server,
--> ldap://servername:3268

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.

View solution in original post

10 Replies
vNEX
Expert
Expert

Hello,

To correct this please follow steps in KB articles below:

VMware KB: Migrating from an Active Directory as a LDAP identity source to an Active Directory ident...

migrating an Active Directory as a LDAP identity source (the Active Directory identity source in vSphere 5.1) to an Active Directory (Integrated Windows Authnetication) identity source.

vCenter Server 5.1 uses vCenter Single Sign-On (SSO) 5.1 and the only identity source for Active Directory integration was using LDAP(s) server connections. In vCenter Single Sign-On 5.5,

Active Directory is integrated with the use of a Service Principal Name (SPN) that functions as the secure token service and supports LDAP(s) servers for Active Directory authentication to provide

backward compatibility when upgrading from vSphere 5.1 to vSphere 5.5.

VMware KB: Creating and using a Service Principal Account in vCenter Single Sign-On 5.5

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
Rottcodd
Contributor
Contributor

Sorry, there was a typo in my post. I meant to say in paragraph 3 that I have created an SPN and edited the identity source to make use of it, but it didn't seem to help.

0 Kudos
vNEX
Expert
Expert

have you removed your current Active Directory LDAP Server identity source and added the new one as "Active Directory (Integrated Windows Authentication)" type?

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
Rottcodd
Contributor
Contributor


After the upgrade the identity source was already of type Active Directory (Integrated Windows Authentication). It did not have an SPN configured, however. I created and applied the SPN to the identity source but I have the same 200 AD users listed (most of them old and disabled in AD).

I could try deleting the IS completely and trying again.

0 Kudos
pratjain
VMware Employee
VMware Employee

What error are you getting while logging in vCenter.

This could also be the problem http://blogs.vmware.com/vsphere/2013/09/vcenter-single-sign-on-5-5-not-recognizing-nested-active-dir...

I would also recommend using AD over LDAP as Identity Source

Regards, PJ If you find this or any other answer useful please mark the answer as correct or helpful.
Rottcodd
Contributor
Contributor

Thanks to all - I'm definitely making progress. It's so rare that I actually have to touch vCenter itself that it's a new world for me.

I followed the suggestion that I use AD over LDAP. I can now see the users and groups in the paths I specified. In fact I suspect the Identity Source was working before, as Active Directory integrated - if I make the base DN something more global than our sysadmins then the web client still only displays 200 users - is it supposed to do that?

I added a domain security group and a couple of domain users to the vsphere Administrators group, but when I try to connect using Windows session credentials from the client I still get 'You do not have permission to login to the server'.

So I'm close but will still receive no Cuban smoking materials.

0 Kudos
vNEX
Expert
Expert

good to hear...you made a progress.

What you mean with "I added a domain security group and a couple of domain users to the vsphere Administrators group".

Now if you are able to explore your AD users/groups go to the vCenter server level tap on Manage->Permissions click on plus sign and Add user/group.

Then assign to these object desired Role (default/custom) from the right pane in your case "Administrator" role.


_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
Rottcodd
Contributor
Contributor

Thanks for your help, and sorry for responding so slowly. This is a busy place, and although I'd like to get this fixed I can rarely retrun to it.

I've done what you suggested, have added a couple of domain groups and users and assigned the administrators role. But I still can't use these accounts for SSO to the desktop or web client. The error now is The authentication server retrured an unexpected error. ns0:requestFailed: Failed to find Principal id ....

The user being tested is one that has been added as an administrator, and the AD LDAP identity source passes the connection test and is the default.

0 Kudos
vNEX
Expert
Expert

which build of the vCenter Server do you have? first I would start to upgrade to the latest vCenter Server 5.5 Update 2b Release Notes

There was several bugfixes in the SSO authentication since 5.5 GA release one example is this KB article:

VMware KB: In a mixed vSphere 5.1/5.5 environment, logging in to the vSphere Web Client fails with t...

also have a look at this KB:

VMware KB: In a mixed vSphere 5.1/5.5 environment, logging in to the vSphere Web Client fails with t...

and verify resolution mentioned in community thread below:

https://communities.vmware.com/message/2353295
Our issue was that SSO seems to be working (browsing sso identity sources was possible) but login with a user from a AD-LDAP source wasn't possible.

Solution for us:

we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!

-> active directory as ldap server,
--> ldap://servername:3268

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.

View solution in original post

Rottcodd
Contributor
Contributor

The update to 5.5 u2b did the trick. All now working fine.

I had the update planned, but decided to get things working first. Mistake!

Thanks for your help.

0 Kudos