Hi,

After upgrading vCSA to 5.5.0a and Windows AD to 2012 R2, AD logins to vCSA no longer work.

sso/vmware-sts-idmd.log shows:

2013-11-05 17:08:57,135 WARN   [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 1

2013-11-05 17:08:57,135 ERROR  [LinuxLdapClientLibrary] Exception when calling ldap_search_s: base=DC=example,DC=org, scope=2, filter=(&(userPrincipalName=user@example.org)(objectClass=user)), attrs=[Ljava

.lang.String;@3463048e, attrsonly=0

com.vmware.identity.interop.ldap.OperationsErrorLdapException: Operations error

LDAP error [code: 1]

        at com.vmware.identity.interop.ldap.LdapErrorChecker$1.RaiseLdapError(LdapErrorChecker.java:32)

        at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)

        at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.CheckError(LinuxLdapClientLibrary.java:743)

        at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.ldap_search_s(LinuxLdapClientLibrary.java:414)

        at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:334)

        at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:331)

        at com.vmware.identity.interop.ldap.LdapConnection.execute(LdapConnection.java:65)

        at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:330)

        at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:299)

        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findAccountLdapEntry(ActiveDirectoryProvider.java:1346)

        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findUserByLdap(ActiveDirectoryProvider.java:2263)

        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findUser(ActiveDirectoryProvider.java:320)

        at com.vmware.identity.idm.server.IdentityManager.findPersonUser(IdentityManager.java:3063)

        at com.vmware.identity.idm.server.IdentityManager.findNestedParentGroupsInternal(IdentityManager.java:3968)

        at com.vmware.identity.idm.server.IdentityManager.findNestedParentGroups(IdentityManager.java:3928)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

        at java.lang.reflect.Method.invoke(Unknown Source)

        at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)

        at sun.rmi.transport.Transport$1.run(Unknown Source)

        at sun.rmi.transport.Transport$1.run(Unknown Source)

        at java.security.AccessController.doPrivileged(Native Method)

        at sun.rmi.transport.Transport.serviceCall(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

tcpdump shows that the vCSA does an ldapsearch on the AD without any authentication, the 2012R2 server rejects that with:

000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

A kerberos request right before the search to the AD is successful, also the AD join was successful.

Any ideas how to debug this? Why isn't the vCSA using an authenticated search?

Andreas