I was successfully able to install my vCenter Server 5.5. For identity sources I have vsphere.local as default but I have also set-up AD (Integrated Windows Authentication) under configuration. I want to be able to log on using an AD account.
I am able to set vCenter Server permissions using the AD account (users / groups populate just fine from AD domain) and set it with role of Administrator. However I can't log on using the AD account to vCenter server. I keep getting that the username / password is incorrect though I know it isn't. Am I missing something? I have tried in context of
user itself but no go.
Any advise is greatly appreciated.
Here is the link to the kb article id: 2060901 which contains the patch dll, and the instructions to patch the Single Sign-On server, You should be able to search/lookup for the article at kb.eng.vmware.com
Is your AD showing up in Identity sources when you login into Web client?
Can you click on the appropriate Identity Source (bg.local) and then click the Set as Default Domain icon ( ) under the options menu.
Can you upload the sso-support bundle to the post, Just to make sure you have tried logging in as firstname.lastname@example.org, and BG\user and both the logins do not work, Also can you check if this user in AD is a not a newly created user in whose account the option "User must change password on next login" is selected, While creating new users this option is selected by default on most AD systems. Can you try a logging in as a different user after assigning permissions to that user. Please make sure the password for the user is not expired.
Attached is the log bundle as requested. I also get the message in screenshot when trying to log on using the AD account. AD account is not new and worked perfectly when i had 5.1 implemented. 5.5 is a FRESH new install in terms of Windows Server and vCenter Server. I also tried changing the password but no luck.
Came across below KB's from VMware hope this can resolve your issue.
Error from the log
2013-09-23 15:54:04,800 INFO [VMwareDirectoryProvider] Cannot find solution user [vCOemail@example.com] in [CN=ServicePrincipals,DC=vsphere,DC=local]
2013-09-23 15:54:07,619 INFO [VMwareDirectoryProvider] principalDn [CN=vCO-1414d078df56e51f47c837bb55e,CN=ServicePrincipals,DC=vsphere,DC=local] is not a member for group [Administrators], skipping LdapMod Op
Thanks Mustafa. I will try the Service Principal Account route.
At this point I have my AD Domain as default as my screenshot before
I can log onto to webclient using both
firstname.lastname@example.org & vc01\administrator (vcenter server admin account)
but not AD accounts, which i just don't get why. Will keep scratching head
That is still a no go. I have done as articles suggested.
I created an account in AD: ssospn (part of domain users ONLY)
followed the second article and updated the account accordingly
Was able to add AD as identity source and set it as default.
Went to vCenter permissions and browsed my AD Domain and chose the account of: esxiadmin (which i have created for managing vcenter)
I still get the same message: Cannot Parse Group Information.
Is this user esxiadmin a member of localos(the machine on which SSO is installed) administrators group, Since you have assigned the explicitly assigned permissions to this user esxiadmin in VC, If the user esxiadmin is part of the local os administrators group, Can you remove this user from that group, Also can you set the Local OS as the default domain, and try to login into NGC using the same user.
Can you try with email@example.com as username instead of bg\esxiadmin?
User esxiadmin is not part of local os administrators group. I have pretty much tried everything and this still isn't working. Doing this same thing in 5.1 worked like a charm, I am not sure what the issue is here.
We have looked into this issue further, Can you confirm if you are using the Windows 2012 as the AD, and your SSO machine is joined to that domain if so this is a known issue with the possibility of fix in EP1. Will you be willing to take a dll file and replace it in your sso machine, if you want to try the fix right away. We will provide detailed instructions on how to replace the dll if you are willing to take the patch.
You are right. I am using Srv 2012. SSO machine is joined to the domain yes. Both the domain controller and vCenter server are 2012. I would love to try the fix you have, that would be great.
Please upload the dll and advise what exactly needs to be done. Thanks a lot for all the tips.
I am having exactly the same issues, but with the appliance.
I did an upgrade vom 5.1 to 5.5.
After that the AD-Auth was not working anymore. I then added the "integrated windows authentification".
The user is added to the group "Administrators".
I get "user or password unknown". I can see success logs at the domain controller for kerberos tickets for my username.
But still can not login.
I could "solve" the issue by using the same configuration as with vsphere 5.1:
- New Identity Source, Type Active Directory as LDAP
- Copied/pasted the DN-fields from AD for Base-DN for users and groups
- ldaps://dc1....ldaps://dc2... with the dc-certs I exported first.
Then I could login with firstname.lastname@example.org...after solving this bugs:
- First error message was "invalid group ... SID-.....".
- After translating the SID to "Domain-Users" I realized this was because my Domain-Users are in the default-OU while the administrative groups I use are in another OU.
- After moving then my domain-users to the specified ou in vcenter I got another error, like "invalided distinguished name...".
This was because of my german domain-Group was "Domänen-Benutzer" and obviously Vcenter cannot work with umlauts here.
- After renaming "Domänen Benutzer" to "Domain-Users" I can finally login.
But, as expected, I can still not "use current logged in user" as "Integrated Windows Authentification" is not working.
Have the same issue!
Workaround that theburnout proposed had helped to partially solve the issue, after login with AD account I have another error "client is not authenticated to vmware inventory service".