Good Afternoon,
Does anyone know if it is possible to configure Orchestrator so that users in multiple child domains of a single forest can access the application? I have tried setting my LDAP paths to the root domain, but it only appears to work if I set my paths to the child domain in which the accounts are defined.
Any help appreciated,
Dave.
This should work but the root AD needs to be a Global Catalog server. In this case, the GC will issue LDAP referrals to the proper child DC for authentication.
Bill
Good Morning,
Thanks for the information, but I am still struggling to get this to work. I am trying to set this up as shown below.
Root domain - flintstone.org
Child domain 1 - fred.flintstone.org
Child domain 2 - wilma.flintstone.org
Primary LDAP - dc1.flintstone.org
Root - dc=flintstone, dc=org
Use Global Catalog - checked
User lookup base - dc=flintstone, dc=org
Group lookup base - dc=flintstone, dc=org
vCO Admin Group - cn=vCOAdmins, OU=AdminGroups, dc=fred, dc=flintsone, dc=org
If I apply those settings then I am told that the is not a member of the vCO Admin group even though it is and my Plug-ins settings shows an error. If I login using the vCO client then I cannot find any virtual machines when I try and run a simple workflow such as the Extract VM Information workflow.
What I am trying to achieve is to allow users from both the fred.flintstone.org and the wilma .flintstone.org domains to use vCO. Can you please tell me if my configuration looks right or if I am making some obvious error?
Thanks,
Dave.
Is the user fred directly part of the vcoAdmins group? or 'via' others groups?
It should work. If your domain is configured as a Tree. The referrals is not working if domains are part of the same forest but not of the same tree.
How did you configure the vCenter 4.0 plugin? To be able to see VMs, you must add vCenters servers in it. If you use default configuration when adding a vCenter server, the user that is accessing vCenter must not be the same than the user accessing vCO
Good Morning,
The vCO user is a member of the vCOAdmins group and the domains are child domains of the root domain as shown below.
flintstone.org
/ \
fred.flintstone.org wilma.flintstone.org
The vCOAdmin group is in the fred.flintstone.org child domain.
What I am trying to achieve is for users in both of the child domains to be able to use Orchestrator.
I have configured the vCentre plug in and if I set the search paths to start at the fred.flintstone.org level then it works, but users from the wilma.flintstone.org child domain cannot use Orchestrator.
Thanks for your time and effort in looking at this.
Regards,
Dave.
Could you try to use a Group from the main flintstone.org domain?
Curious if you ever resolved this issue, or if anyone else has encountered as this is rather an old post. I am encountering a smiliar situation.
Using your model for illustration, I created a VCOAdmin group in the fred.flintstone.org child domain, with members from the wilma.flintstone.org child domain. You cannot login to VCO using a wilma.flintstone.org AD account, but you can using a fred.flintstone.org AD account. Seems odd, as AD authentication for RDP is working fine for wilma.flintstone.org accounts, with the VCO server being located within the fred.flintstone.org domain.
We've worked around this in the past by placing the VCO service account in the same child domain as the user accounts, but that's not consistent with our architectual standards. All items with the VCO config sections are green.
Any guidance on solving would be appreciated.
Has anyone had any luck (or encountered an issue) with this??? It's extremely frustrating. I am able to add the VCO-Admin group which contains members from a different domain, however you cannot login to the VCO client as one of those users.