girishverma
Enthusiast
Enthusiast

vCenter 5.5 AD Authentication Help

Jump to solution

Hello,

I was successfully able to install my vCenter Server 5.5. For identity sources I have vsphere.local as default but I have also set-up AD (Integrated Windows Authentication) under configuration. I want to be able to log on using an AD account.

I am able to set vCenter Server permissions using the AD account (users / groups populate just fine from AD domain) and set it with role of Administrator. However I can't log on using the AD account to vCenter server. I keep getting that the username / password is incorrect though I know it isn't. Am I missing something? I have tried in context of

domain\user

user@domain.local

user itself but no go.

Any advise is greatly appreciated.

Regards,

GV

1 Solution

Accepted Solutions
admin
Immortal
Immortal

Hi Girish,

Here is the link to the kb article id: 2060901 which contains the patch dll, and the instructions to patch the Single Sign-On server, You should be able to search/lookup for the article at kb.eng.vmware.com

View solution in original post

55 Replies
abhilashhb
VMware Employee
VMware Employee

Is your AD showing up in Identity sources when you login into Web client?

------------------------------------------------------------------------------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Abhilash B | Blog : http://vpirate.in | Twitter : @abhilashhb | LinkedIn : https://www.linkedin.com/in/abhilashhb/ |
0 Kudos
girishverma
Enthusiast
Enthusiast

It does Abhilash. Please see the attached screenshot.

Capture.PNG

0 Kudos

Can you click on the appropriate Identity Source (bg.local) and then click the Set as Default Domain icon ( ) under the options menu.

Please consider marking this answer "correct" or "helpful" if you found it useful.
0 Kudos
admin
Immortal
Immortal

Hi Girish,

Can you upload the sso-support bundle to the post, Just to make sure you have tried logging in as user@bg.local, and BG\user and both the logins do not work, Also can you check if this user in AD is a not a newly created user in whose account the option "User must change password on next login" is selected, While creating new users this option is selected by default on most AD systems. Can you try a logging in as a different user after assigning permissions to that user. Please make sure the password for the user is not expired.

Thanks

Srinu

0 Kudos
girishverma
Enthusiast
Enthusiast

Hi Mustafa,

I had tried that before but that still does not change anything. Weird...

0 Kudos
girishverma
Enthusiast
Enthusiast

Hi SrinuA,

Attached is the log bundle as requested. I also get the message in screenshot when trying to log on using the AD account. AD account is not new and worked perfectly when i had 5.1 implemented. 5.5 is a FRESH new install in terms of Windows Server and vCenter Server. I also tried changing the password but no luck.

prase.JPG

0 Kudos

Came across below KB's from VMware hope this can resolve your issue.

VMware KB: Logging into the vSphere Web Client 5.5 fails with the error: Provided credentials are no...

Error from the log

2013-09-23 15:54:04,800 INFO   [VMwareDirectoryProvider] Cannot find solution user [vCO-1414d078df56e51f47c837bb55e@vsphere.local] in [CN=ServicePrincipals,DC=vsphere,DC=local]

2013-09-23 15:54:07,619 INFO   [VMwareDirectoryProvider] principalDn [CN=vCO-1414d078df56e51f47c837bb55e,CN=ServicePrincipals,DC=vsphere,DC=local] is not a member for group [Administrators], skipping LdapMod Op

VMware KB: Creating and using a Service Principal Account in vCenter Single Sign-On 5.5

Please consider marking this answer "correct" or "helpful" if you found it useful.
0 Kudos
girishverma
Enthusiast
Enthusiast

Thanks Mustafa. I will try the Service Principal Account route.

At this point I have my AD Domain as default as my screenshot before

I can log onto to webclient using both

administrator@vsphere.local & vc01\administrator (vcenter server admin account)

but not AD accounts, which i just don't get why. Will keep scratching head Smiley Happy

0 Kudos
girishverma
Enthusiast
Enthusiast

That is still a no go. I have done as articles suggested.

I created an account in AD: ssospn (part of domain users ONLY)

followed the second article and updated the account accordingly

Was able to add AD as identity source and set it as default.

Went to vCenter permissions and browsed my AD Domain and chose the account of: esxiadmin (which i have created for managing vcenter)

I still get the same message: Cannot Parse Group Information.

0 Kudos
admin
Immortal
Immortal

Hi Girish,

Is this user esxiadmin a member of localos(the machine on which SSO is installed) administrators group, Since you have assigned the explicitly assigned permissions to this user esxiadmin in VC, If the user esxiadmin is part of the local os administrators group, Can you remove this user from that group, Also can you set the Local OS as the default domain, and try to login into NGC using the same user.

Thanks

Srinu


0 Kudos
abhilashhb
VMware Employee
VMware Employee

Can you try with esxiadmin@bg.local as username instead of bg\esxiadmin?

------------------------------------------------------------------------------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Abhilash B | Blog : http://vpirate.in | Twitter : @abhilashhb | LinkedIn : https://www.linkedin.com/in/abhilashhb/ |
0 Kudos
girishverma
Enthusiast
Enthusiast

User esxiadmin is not part of local os administrators group. I have pretty much tried everything and this still isn't working. Doing this same thing in 5.1 worked like a charm, I am not sure what the issue is here.

0 Kudos
girishverma
Enthusiast
Enthusiast

Nope, that doesn't work either Abhilash. I already tried this before as well.

0 Kudos
admin
Immortal
Immortal

Hi Girish,

We have looked into this issue further, Can you confirm if you are using the Windows 2012 as the AD, and your SSO machine is joined to that domain if so this is a known issue with the possibility of fix in EP1. Will you be willing to take a dll file and replace it in your sso machine, if you want to try the fix right away. We will provide detailed instructions on how to replace the dll if you are willing to take the patch.

Thanks

Srinu

0 Kudos
girishverma
Enthusiast
Enthusiast

Hi Srinu,

You are right. I am using Srv 2012. SSO machine is joined to the domain yes. Both the domain controller and vCenter server are 2012. I would love to try the fix you have,  that would be great.

Please upload the dll and advise what exactly needs to be done. Thanks a lot for all the tips.

0 Kudos
theburnout
Contributor
Contributor

I am having exactly the same issues, but with the appliance.

I did an upgrade vom 5.1 to 5.5.

After that the AD-Auth was not working anymore. I then added the "integrated windows authentification".

The user is added to the group "Administrators".

I get "user or password unknown". I can see success logs at the domain controller for kerberos tickets for my username.

But still can not login.

0 Kudos
girishverma
Enthusiast
Enthusiast

Hi theburnout

Patiently waiting on Srinu's fix. Hopefully that will help us out Smiley Happy

0 Kudos
theburnout
Contributor
Contributor

I could "solve" the issue by using the same configuration as with vsphere 5.1:

- New Identity Source, Type Active Directory as LDAP

- Copied/pasted the DN-fields from AD for Base-DN for users and groups

- ldaps://dc1....ldaps://dc2... with the dc-certs I exported first.

Then I could login with user@fqdn.tld...after solving this bugs:

- First error message was "invalid group ... SID-.....".

- After translating the SID to "Domain-Users" I realized this was because my Domain-Users are in the default-OU while the administrative groups I use are in another OU.

- After moving then my domain-users to the specified ou in vcenter I got another error, like "invalided distinguished name...".

This was because of my german domain-Group was "Domänen-Benutzer" and obviously Vcenter cannot work with umlauts here.

- After renaming "Domänen Benutzer" to "Domain-Users" I can finally login.

But, as expected, I can still not "use current logged in user" as "Integrated Windows Authentification" is not working.

Dmitry_G
Hot Shot
Hot Shot

Hello all!

Have the same issue!

Workaround that theburnout proposed had helped to partially solve the issue, after login with AD account I have another error "client is not authenticated to vmware inventory service".

VCAP-DCD, VCAP-DCA, VCP-Cloud, VCP-DCV, CCNA
0 Kudos