girishverma
Enthusiast
Enthusiast

vCenter 5.5 AD Authentication Help

Jump to solution

Hello,

I was successfully able to install my vCenter Server 5.5. For identity sources I have vsphere.local as default but I have also set-up AD (Integrated Windows Authentication) under configuration. I want to be able to log on using an AD account.

I am able to set vCenter Server permissions using the AD account (users / groups populate just fine from AD domain) and set it with role of Administrator. However I can't log on using the AD account to vCenter server. I keep getting that the username / password is incorrect though I know it isn't. Am I missing something? I have tried in context of

domain\user

user@domain.local

user itself but no go.

Any advise is greatly appreciated.

Regards,

GV

55 Replies
Selta
Contributor
Contributor

Son of a ... I'm getting this now too... and when I try to run through the Re-pointing steps, I get errors. Really don't feel like rebuilding my vCenter server 😐 When I run the register-is.bat step, I get:

"Failed to perform register action com.vmware.vim.dataservices.vcregtool.exception.RegistrationException

     at com.vmware.vim.dataservices.vcregtool.RegisterVC.registerWithIS(RegisterVC.java:904)"

0 Kudos
JDooleyCLT
Enthusiast
Enthusiast

I tried what looked to be the easiest of the steps listed there, reregistering the Web Client with SSO, and it did nothing.  I'll try the other steps tomorrow, and then blow everything away.  Luckily this is my lab, but I can't in good conscience tell anyone in production that this upgrade is ready for prime time.  Not yet.

0 Kudos
Selta
Contributor
Contributor

I'm operating under the assumption all steps need completed. Guess I'm stuck until someone smarter than me can point me in a direction :smileygrin:. This is also just my home personal lab, so it's not terrible that this is "broken", but is also making me hesitant to update production systems.

Edit:

Skipped ahead to the WebClient repointing step and am also getting errors there...

"Return code is: InvalidInput"

"System error 5 has occurred"

"Access is denied" (wish it said WHAT it was trying to access here)

Then...

"Cannot authenticate user" -> I'm assuming this means the SSO Admin user, though I verified I'm using the correct credentials. I can log into the webclient and vsphere client using the same credentials.

Edit 2:
Basically said "screw it" and deployed the vCSA. Gotta reconfigure everything now, but, such is life. I want to convert everything to vCSA anyway, so this was a good excuse on trying that out and getting familiar with it.

0 Kudos
gregorcy
Contributor
Contributor

This patch worked for me thanks.

0 Kudos
jlenabu
Contributor
Contributor

I'm having the exact same issue.  And I'm using a W2008R2x64 AD controller, not 2012.

I can login to my VSphere 5.5 Client with LOCAL Admin credentials and manage vCenter.  I can login to the VSphere Web Client 5.5 with LOCAL Admin credentials and also manage the environment.  However I cannot login to the VSphere client with my Domain Credentials.  I can login to Web Client with my Domain Credentials, but I cannot manage vCenter. 

Can someone help me with this issue?

Thanks,

James

0 Kudos
jlenabu
Contributor
Contributor

Screen Shots:

VS5Issue1.png

VS5Issue2.png

VS5Issue3.png

VS5Issue4.png

I've tried changing the Identity Source to the AD but it made no difference either way.

VS5Issue5.png

0 Kudos
Selta
Contributor
Contributor

Did you change the default Identity Source to be your domain?
This is one of the errors I was seeing before, and I couldn't fix it. I just deleted my vCenter VM, deployed the vCSA and went on with life. It's just my home lab, so it wasn't a BIG deal, just a couple of hours wasted. Formally recommended we not move to 5.5 in production at this point as we can't have our vCenter blow up like that. Maybe in a few months when things calm down for us I'll try the upgrade, and if it goes sideways will rebuild in vCSA here too, but I'm not looking forward to that long weekend.

0 Kudos
jlenabu
Contributor
Contributor

Yes I did do that.  Didn't help, still didn't work.

I'll try the vCSA, haven't played with that yet.  I'm also having my doubts about 5.5 also.

I tried installing ANOTHER vCenter VM, and wasted 4 hours on it, could never get it to work.

James

0 Kudos
Selta
Contributor
Contributor

Did you also check permissions on your vCenter server? When logged in as the local administrator:

pastedImage_0.png

0 Kudos
jlenabu
Contributor
Contributor

BRILLIANT MY FRIEND, that was it.  So, where did I miss that during the installation?  I've never had to do that previously.  Was that something I missed during the SSO installation?  Previously, since vCenter machine was a member of the domain, I could use either ID.

I guess I need to look at the SSO installation screens more carefully?  Or shudder, read the manual....

Thanks again.

Regards,

James

0 Kudos
yankinlk
Enthusiast
Enthusiast

Holy Moly that was frustrating. I had to post my (almost) fix for this very basic problem.

In a very simple lab setup, I have 2008 AD/DNS. 2008 server joined to domain as my VC. Installed 5.5 in Simple Mode. No errors all the way thru.

Could only logon to Web Client as SSO admin only... Traditional vspehere client and Web client failed for Domain admin...

Created a new user, a copy of the domain admin, and logged on first time to Vpshere client.

But I still cannot logon to the Web Client.

IF I logon to webclient as Domain admin, I cant see my Vcenter Server. I can do as SSO admin ONLY.

If i spent too much time on this - only using 5.5 to show a customer - so Im afraid I have to give up on this.

@HCIdiver
0 Kudos
Marcelvv
Contributor
Contributor

Wow, I've set all the rights and domains the right way, tried to re-register the inventory service, and the virtual center.

But my problem was the rights for the local admin of the server running the inventory service. This gives you the error "Client is not authenticated to VMware Inventory Service".

Added the local computer again, and everything works like a charm :smileygrin:

0 Kudos
FBoettger
Contributor
Contributor

Hey, what do you mean with "Added the local computer again,..." ? I have exactly the same problem. After i fixed all bugs in the VCSA and german AD, i could logon, since I reboot the VCSA. Now I get the error "client is not authenticated to vmware inventory service" 😕

Do you use the Appliance oder Installation on Win Server?

Edit: I removed the VCSA from AD and added it again, now I can login to the webclient with AD credentials. But I don´t know how long it works 😉

0 Kudos
mctssasmbc4isce
Contributor
Contributor

I am running my domain controller on Server 2008 R2 and we are having the same problem. I can log into vSphere Client and Web Client using any account with the Administrators role, and the default Administrators@vsphere.local works as well, but anyone with a lesser role cannot log in. Everything I have runs on 2008 R2 - DC, vCenter, etc.

Can I use the .dll fix on 2008 R2? (From KBA 2060901.) I am assuming no. Others here seem to get it to work with 2008 R2 however, but don't offer an explanation (see 30). I would like to know what fix gregorcy implemented.

I cannot mirror accounts such as that shown by Selta here in 48. When I see that view, I have all of the accounts I have made, period. These consist of Power Users and Administrators. I also added those same groups when troubleshooting this issue.

This is crippling our lab network at this time. Sure hope VMware comes up with a fix!

0 Kudos
mctssasmbc4isce
Contributor
Contributor

gregorcy, what did you do to get this to work with 2008 R2 (x64)?

0 Kudos
Selta
Contributor
Contributor

Been awhile since I've had this issue... since 5.5 and running 2012, I haven't had an issue.
Your issue in post 53 sounds more like AD permissions are incorrect. If your domain admin group user can access it, but the other users cannot, you need to make sure their AD group is setup within vCenter with appropriate permissions. The way I handle this in my home lab is with the "VMWare_Admin" and "VMWare_Guest" AD groups I created. I then assign domain users to those groups. Within vSphere, each of those AD Groups has a specific set of permissions.
Right now, I don't feel that your issue is related to the original topic, so I don't feel the DLL discussed or fixes other people have used will help. But that's just a gut guess!

0 Kudos