It seems I have hit my first major problem with vCAC 6.
I have copied this Post from my Blog in hopes that I would find an answer quicker.
After doing a few test runs and other scenarios it looks like I have found the problem.
I have a multitiered domain, a forest. The main domain the users of vCAC will use is just under the main/root domain, we will call root level 1. So that means we are using the domain on level 2. Now what happens is I am only able to use AD accounts that I configure for vCAC that are on level 2 (identity source points to level 2) and do not belong to any AD groups of level 1 or 3. What happens if the account belongs to any group that is outside of level 2, is after a log on attempt, the progress bar on the log on page will stop and nothing will happen.
I found the problem by looking at the “vmware-sts-idmd” log. It will say that the log on was successful however there was an error calling for an ldap search of a group the account is in, in domain level 1 or 3. In the log will be an ldap referral error code 10.
Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 10
Exception when calling ldap_search_s: base=CN=Group,OU=AdminRoleGroups,OU=Admin,DC=DOMAIN,DC=com, scope=0, filter=(objectClass=group), attrs=[Ljava.lang.String;@20bea718, attrsonly=0
I have tried using the global catalog port 3268 instead of 389. I thought this would work but it seems that the ldap client cannot bind on this port. I have also tried using just the root domain as the identity source with no luck.
So I am still working on this. Any help would be welcomed.
I am hitting that same issue, or same symptoms, l and currently have a case open for it. Issue for me: If I create two identity stores, one for the parent domain and one for the child domain, I cannot login with an account from the parent domain if an account with the same username/CN is on the child domain. Do not have this problem with logging in with an account from the parent domain if there is no account with the same name in the child domain. If you get past this error, please share. Thanks!
I have a case open as well.
I have also tried using vCenter 5.5 build version 1476327 SSO which unofficially supports vCAC 6.0 and it does work (with a few issues) but does not resolve the problem.
I am hoping to get a resolution soon.
More info after doing some additional testing today. My issue goes away when I change the port to a global catalog port 3268 or 3269 (ie, issue happens when using LDAP/LDAPS ports 389 or 636, but when using LDAP/LDAPS GC ports 3268 or 3269, it works fine). Going to share this info with VMware technical support. Question for you - If you open up AD Sites and Services, have you verified that the DC you're trying to bind to is "checked" as a Global Catalog?
Yes all DC are GC servers in our domain. When using the GC ports we get an yet another error.
Sean,
I have a couple of questions:
0. Is the Child user UPN suffix different from child.parent.dom
1. What is the Parent (level 1) group type referring to:
http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx
2. What is the Parent group DN in the AD (level 1)
3. What is the child User DN in the AD (level 2)
4. Is Parent group member of another Group and what rights parent group inherits
5. What is the Login user DN, Group search DN and User search DN of identity store 1 (configured to parent.dom)
6. What is the Login user DN, Group search DN and User search DN of identity store 2 (configured to child.parent.dom)
Hi,
Try to add one of those ports to the end of your ldap identity configuration: 3286, 636, and 389. Depending on your environment, one of these should fix your problem. I have made a blog post on that with a bit more details, you can check it out at: http://www.virtualizationteam.com/cloud/how-to-fix-vcac-6-ad-login-is-very-slow.html
Thanks,
Eiad Al-Aqqad
Any update on this? I am experiencing this exact same issue.
I recreated my AD connection and that fixed this issue for me