VMware Cloud Community
Seanpeters
Enthusiast
Enthusiast
‎01-03-2014 09:37 AM

AD Login Problem

It seems I have hit my first major problem with vCAC 6.

I have copied this Post from my Blog in hopes that I would find an answer quicker.

After doing a few test runs and other scenarios it looks like I have found the problem.

I have a multitiered domain, a forest. The main domain the users of vCAC will use is just under the main/root domain, we will call root level 1. So that means we are using the domain on level 2. Now what happens is I am only able to use AD accounts that I configure for vCAC that are on level 2 (identity source points to level 2) and do not belong to any AD groups of level 1 or 3. What happens if the account belongs to any group that is outside of level 2, is after a log on attempt, the progress bar on the log on page will stop and nothing will happen.

I found  the problem by looking at the “vmware-sts-idmd” log. It will say that the log on was successful however there was an error calling for an ldap search of a group the account is in, in domain level 1 or 3. In the log will be an ldap referral error code 10.

Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 10

Exception when calling ldap_search_s: base=CN=Group,OU=AdminRoleGroups,OU=Admin,DC=DOMAIN,DC=com, scope=0, filter=(objectClass=group), attrs=[Ljava.lang.String;@20bea718, attrsonly=0

I have tried using the global catalog port 3268 instead of 389. I thought this would work but it seems that the ldap client cannot bind on this port. I have also tried using just the root domain as the identity source with no luck.

So I am still working on this. Any help would be welcomed.

0 Kudos
8 Replies
stacycarter
Enthusiast
Enthusiast
‎01-29-2014 12:38 PM

I am hitting that same issue, or same symptoms, l and currently have a case open for it.  Issue for me:  If I create two identity stores, one for the parent domain and one for the child domain, I cannot login with an account from the parent domain if an account with the same username/CN is on the child domain.  Do not have this problem with logging in with an account from the parent domain if there is no account with the same name in the child domain.  If you get past this error, please share.  Thanks!

0 Kudos
Seanpeters
Enthusiast
Enthusiast
‎01-29-2014 12:46 PM

I have a case open as well.

I have also tried using vCenter 5.5 build version 1476327 SSO which unofficially supports vCAC 6.0 and it does work (with a few issues) but does not resolve the problem.

I am hoping to get a resolution soon.

0 Kudos
stacycarter
Enthusiast
Enthusiast
‎01-29-2014 01:51 PM

More info after doing some additional testing today.  My issue goes away when I change the port to a global catalog port 3268 or 3269 (ie, issue happens when using LDAP/LDAPS ports 389 or 636, but when using LDAP/LDAPS GC ports 3268 or 3269, it works fine).  Going to share this info with VMware technical support.  Question for you - If you open up AD Sites and Services, have you verified that the DC you're trying to bind to is "checked" as a Global Catalog?

0 Kudos
Seanpeters
Enthusiast
Enthusiast
‎01-30-2014 05:45 AM

Yes all DC are GC servers in our domain. When using the GC ports we get an yet another error.

0 Kudos
ggochkov
VMware Employee
VMware Employee
‎01-31-2014 07:31 AM

Sean,

I have a couple of questions:

0. Is the Child user UPN suffix different from child.parent.dom

1. What is the Parent (level 1) group type referring to:

http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx

2. What is the Parent group DN in the AD (level 1)

3. What is the child User DN in the AD (level 2)

4. Is Parent group member of another Group and what rights parent group inherits

5. What is the Login user DN, Group search DN and User search DN of identity store 1 (configured to parent.dom)

6. What is the Login user DN, Group search DN and User search DN of identity store 2 (configured to child.parent.dom)

0 Kudos
ealaqqad
Enthusiast
Enthusiast
‎04-02-2014 08:51 AM

Hi,

Try to add one of those ports to the end of your ldap identity configuration: 3286, 636, and 389. Depending on your environment, one of these should fix your problem. I have made a blog post on that with a bit more details, you can check it out at: http://www.virtualizationteam.com/cloud/how-to-fix-vcac-6-ad-login-is-very-slow.html

Thanks,

Eiad Al-Aqqad

Virtualization Team Blog

Regards, Eiad Al-Aqqad Technology Consultant @ VMware b: http://www.VirtualizationTeam.com b: http://www.TSMGuru.com
0 Kudos
paulfries
Contributor
Contributor
‎04-21-2014 08:56 AM

Any update on this? I am experiencing this exact same issue.

0 Kudos
jklimczak21
Enthusiast
Enthusiast
‎04-21-2014 10:18 AM

I recreated my AD connection and that fixed this issue for me

0 Kudos