VMware Cloud Community
Masch73
Contributor
Contributor
‎04-18-2014 03:19 AM

vCenter 5.1 AD group membership resolution

Hi,

I have problem with group membership resolution for users, that are members of high number of AD groups (about 500 local and global AD groups).

In our environment we grant VM users role to application admins.

Every VM has its own domain group, where are app admins placed and VM user role is granted. Users with membership in high number of AD groups see only part of their VMs in vSphere Client.

Users with less group membership see all their VMs.

Any idea?

Our environment:

vCenter Server 5.1 running on Windows 2k8 R2 server (member of AD)

ESXi 5.1 hosts and about 600 VMs

1 Active Directory,  MaxTokenSize set to maximum - 64k

Thank you

Tags (1)
Reply
0 Kudos
2 Replies
vmnarayanarao
Contributor
Contributor
‎04-18-2014 07:08 AM

Hi,

This is a Limitation in Vcenter 5.1 environment. It supports only 500 groups, It queries in first 500 groups only.

Disclaimer: I can not proove at the moment, But i faced the same issue and we used the workaround by providing access to the user directly on Vcenter.

Please go through below articles, may be useful

VMware KB: Cannot log in to vCenter Server using the domain username/password credentials via the vS...

VMware KB: Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On in a mul...

Regards

Narayanarao

Reply
0 Kudos
admin
Immortal
Immortal
‎04-18-2014 04:10 PM

If vCenter Server is at least 5.1 U1 you might want to look into the following.

VMware KB: Supported vCenter Single Sign-On 5.5 configuration and interoperability with vSphere 5.1

SSO 5.5 lifts some of the limitations that you are experiencing with SSO 5.1

Reply
0 Kudos