girishverma
Enthusiast
Enthusiast

vCenter 5.5 AD Authentication Help

Jump to solution

Hello,

I was successfully able to install my vCenter Server 5.5. For identity sources I have vsphere.local as default but I have also set-up AD (Integrated Windows Authentication) under configuration. I want to be able to log on using an AD account.

I am able to set vCenter Server permissions using the AD account (users / groups populate just fine from AD domain) and set it with role of Administrator. However I can't log on using the AD account to vCenter server. I keep getting that the username / password is incorrect though I know it isn't. Am I missing something? I have tried in context of

domain\user

user@domain.local

user itself but no go.

Any advise is greatly appreciated.

Regards,

GV

55 Replies
Dmitry_G
Hot Shot
Hot Shot

I fix issue with inventrory service. I use service from which I run all vsphere services e.g. SSO, Inventroy service and vCenter.

After change inventory service to "local system" account every thing starts to work fine.

VCAP-DCD, VCAP-DCA, VCP-Cloud, VCP-DCV, CCNA
0 Kudos
gregorcy
Contributor
Contributor

I am having the same issue:

"Cannot parse group information"

When trying to login via the web-interface. 

0 Kudos
girishverma
Enthusiast
Enthusiast

Same here Gregorcy, that error comes up via web client. I have not tried the other guy's fix yet. I still would like to try Srinu's fix (replacing the dll which he will provide us with). Lets hang tight.

0 Kudos
JuIcE_ALTSEC
Contributor
Contributor

I am also seeing this problem.  I would be happy to test the .dll file.

Will also look into other solutions, but I'm not making AD modifications at this time.

EDIT:

Found the Log File mentioned earlier.  I have the AD Source as the Default yet I'm seeing it try to authenticate via vsphere.local

2013-09-25 13:18:33,774 ERROR  [IdentityManager] Failed to find nested parent groups of principal [usernameredacted@domain.com] in tenant [vsphere.local]

2013-09-25 13:18:33,774 ERROR  [ServerUtils] Exception 'java.lang.IllegalStateException: Invalid group name format for [\Authentication authority asserted identity]'

0 Kudos
girishverma
Enthusiast
Enthusiast

Juice_ALTSEC

That is what i saw in my log files as well. Looks like VMware put out 5.5 too fast Smiley Wink

0 Kudos
JuIcE_ALTSEC
Contributor
Contributor

So, further testing of this.  If I restart the VMware  Identity Management Service and only use Windows Session Credentials.  I can log in to vCenter from any domain machine.

if I attempt to log in from any non domain added system, say our OSX hosts using the awesome 5.5 built in OSX Web Client.  It immediately states it cannot parse group information.  Then I cannot log into vCenter from any of the places that worked before until the process is restarted.

When I am successfully logging in use Windows Session Credentials - the log shows:

2013-09-25 13:34:32,868 INFO   [IdentityManager] Authentication succeeded for user [administrator@vsphere.local] in tenant [vsphere.local] in [206] milliseconds

2013-09-25 13:35:31,087 INFO   [IdentityManager] Authentication succeeded for user [administrator@vsphere.local] in tenant [vsphere.local] in [204] milliseconds

2013-09-25 13:36:31,143 INFO   [IdentityManager] Authentication succeeded for user [administrator@vsphere.local] in tenant [vsphere.local] in [204] milliseconds

2013-09-25 13:37:31,284 INFO   [IdentityManager] Authentication succeeded for user [administrator@vsphere.local] in tenant [vsphere.local] in [204] milliseconds

2013-09-25 13:38:31,212 INFO   [IdentityManager] Authentication succeeded for user [administrator@vsphere.local] in tenant [vsphere.local] in [204] milliseconds

When I go to the OSX Machine and try to login:

2013-09-25 13:39:11,791 ERROR  [ValidateUtil] resolved group name=[\Authentication authority asserted identity] is invalid: not a valid netbios name format 

2013-09-25 13:39:11,791 INFO   [ActiveDirectoryProvider] resolved group name=[\Authentication authority asserted identity] is invalid: not a valid netbios name format

Hope this helps.

Selta
Contributor
Contributor

JulcE_ALTSEC -> restarting the VMWare Identity Management Service also "fixes" the AD authentication for me as well. It seems that if I reboot the vCenter server (Windows Server 2012 Standard), I get the AD errors again until I manually restart that service. Very interesting. Hopefully whatever DLL we're waiting on resolves that - not that I restart my vCenter server often. Sorry I can't help with the OSX bit, just wanted to thank you for that help and confirm that it has "fixed" things for me.

As a side note: I also tried installing to 2012 R2 server, but the vCenter Server install gets hung up on "Installing Directory Service".

0 Kudos
JuIcE_ALTSEC
Contributor
Contributor

The same thing that affects my OSX hosts, affects any Windows host not added to the domain.

Just test that as well.

0 Kudos
admin
Immortal
Immortal

To clarify this issue exists the SSO/vcenter systems which are deployed on win2k12 machine and are joined to a win2k12 domain, and an identity source is setup to use Active Directory with windows authentication and you are using a domain user from the win2k12 domain to login. We are preparing a patch dll which contains the fix and will put up a kb article with the patch dll attached. We will put a kb article which will contain the patch dll with the instructions on how to apply this patch within 12-24 hours. Sorry for the delayed response and thanks for being patient.

0 Kudos
admin
Immortal
Immortal

Hi Girish,

Thanks for being patient. Please see the update/comment #28.

Thanks

Srinu

0 Kudos
gregorcy
Contributor
Contributor

Yep I can confirm that moving to a Windows 2008 x64 R2 server allows me to login with my domain users.

0 Kudos
Selta
Contributor
Contributor

I sadly don't have any machines not on the domain, and don't have time right now to remove one or create one off domain 😕

0 Kudos
girishverma
Enthusiast
Enthusiast

That's great Srinu.

If its not too much hassle, do post a link to the KB article in this post so we all know. Thanks once again.

0 Kudos
admin
Immortal
Immortal

Hi Girish,

Here is the link to the kb article id: 2060901 which contains the patch dll, and the instructions to patch the Single Sign-On server, You should be able to search/lookup for the article at kb.eng.vmware.com

View solution in original post

Selta
Contributor
Contributor
girishverma
Enthusiast
Enthusiast

That's it Smiley Happy

confirmed.

0 Kudos
girishverma
Enthusiast
Enthusiast

Srinu YOU ARE the man...

worked without a hitch. PERFECT. I appreciate your prompt feedback and all your help. Have an awesome day / night.

0 Kudos
abhilashhb
VMware Employee
VMware Employee

Glad to know this issue is finally solved.

Cheers guys. And good job Srinu Smiley Happy

------------------------------------------------------------------------------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Abhilash B | Blog : http://vpirate.in | Twitter : @abhilashhb | LinkedIn : https://www.linkedin.com/in/abhilashhb/ |
0 Kudos
JDooleyCLT
Enthusiast
Enthusiast

The patch worked great, and I'm able to authenticate, but now I'm getting the same "client is not authenticated to vmware inventory service" referenced above.  My Inventory Service is running as Local System, but I tried using the vCenter service account as well with no effect.  Any ideas as to what I should try next?

0 Kudos

for "client is not authenticated to vmware inventory service" try this KB VMware KB: Re-pointing and re-registering VMware vCenter Server 5.x and components

Please consider marking this answer "correct" or "helpful" if you found it useful.
0 Kudos