VMware Cloud Community
novell1
Enthusiast
Enthusiast

Unable to login with a AD account

Hi, I changed my old AD Server from 2012 to a new MS Server 2019 with a new AD name. After setting Identity Source and Global Permissions it is not possible to login in the vcenter with a MS domain user.  In Global Permissions I can see the Domain User with the Role Administrator. What else can I check? In the VCSA:5480 logged in as the root user everything looks good...

Thanks for a good tip

Best regards

werner

10 Replies
Lalegre
Virtuoso
Virtuoso

Hey novell1​,

Could you please details which version of vCenter are you using? In case you are using vSphere 7 please make sure that the Domain Fuctionality Level is set to 2012 or 2016 if not it won't work as shown in the next KB: VMware Knowledge Base

And how are you setting the AD Connection? Using Active Directory Integrated or Active Directory over LDAP. If the first one then make sure to reboot the vCenter Server after joining to domain.

jburen
Expert
Expert

If you set up a new connection to AD I would suggest not using IWA as this is deprecated: vSphere 7 - Integrated Windows Authentication (IWA) Deprecation - VMware vSphere Blog Instead use LDAP or ADFS.

Consider giving Kudos if you think my response helped you in any way.
novell1
Enthusiast
Enthusiast

Hi Lalegere, Thanks, I did install a new server 2019 with a new ad for the new VMware environement with vsphere7 and vcsa 7U1. In vcenter I did use Active Direcotry Integrated integration.

If I try to use the other function with LDAP integartion do I have to do change the Domain Function Level 2016 on the AD server?

Thanks a lot!

Reply
0 Kudos
berndweyand
Expert
Expert

Reply
0 Kudos
novell1
Enthusiast
Enthusiast

Hi, I did change on my test system  the identity source to LDAP, but after login it says Login not possible no rights for that.So it is the same situation as before. If I login with administrator@vsphere.local under Users and Groups I can see the Domainusers and groups...I am not shure on the print screen Global Permissions - Permissions Provider you can see the name vcsa.ad2020.local letters are very small and not select able, look on the printscreen. I'm too stupid for that ...

Thanks a lot,

werner

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

Try to go into Users and Groups and add a user manually to the Administrators group just to check.

Also you are not specifying a primary server URL for connection and if you have any issue with the DNS maybe vCenter will not connect using ldap correcly so full fill at least the Primary Server URL like this: ldap://first_domain_controller:389 or ldaps://first_domain_controller:636

And regarding the query about the Domain Functional Level I believe is for Active Directory in general not only to Active Directory Integrated Authentication identity source because on the KB it does not discriminates on that type. However I am not 100% as it is not explicitly explained.

Reply
0 Kudos
berndweyand
Expert
Expert

the error message tells you that your ad-account was regongnized but have no permissions.

so just put an ad-user into the administrator-group and test with this account

your sso-config is still ldap - you need to provide a certificate:

https://pradeeppapnai.com/2019/09/03/ad-ldaps-vcenter/

https://ctrl-alt-insert.com/2020/01/08/ldaps-configuration-vcsa/

Reply
0 Kudos
novell1
Enthusiast
Enthusiast

Hallo

thanks, where do I have to set the ldap://ad2020.local:389 path? In vCenter or somewhere in the AD MS domain tool?

Thanks

werner

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

If you see the picture you share with me you will see that it shows Primary URL as empty so there you should point to the Domain Controller. Go over the wizard steps again to double check that.

Reply
0 Kudos
berndweyand
Expert
Expert

check my links - the steps are described with pictures

Reply
0 Kudos