Yes, I mentioned that in my post. Even after I hit 'Enter' nothing appears.

oops, sorry, I missed that.

Can you successfully use the "test login" in the vCO configuration pages with non admin users?

How large is you directory?

Yes, I use an admin user account and a test account and they both test successfully on the configuration page. Our directory is decently large, probably around 10,000 users.

ok. Be aware that you only can assign permissions to groups, not to single users. So in this chooser only groups will be shown.

Next troubleshooting step would be to check the server.log of vCO for errors...

Excellent, thank you for your help so far. I think I have found the issue. Here is a related log:

2014-01-03 11:28:21.295-0500 [http-bio-10.67.109.233-8281-exec-1] WARN  {} [LdapCenterImpl] Unable to fetch all elements from LDAP : Error...:[Idm client exception: Failed to establish server connection][javax.naming.NamingException]

I will try to dig a little deeper.

http://www.vcoportal.de/2011/07/troubleshooting-ldap-erros-in-vco/

this article gives some details how to analyze LDAP errors in vco. The links there  point to a list of all the ldap error codes and there explanation.

Cheers,

Joerg

Upgrading to 5.5 Update 1 did not fix the issue. I'm logging a call with VMware and will let you know if I get it fixed.

Just FYI, I am having the exact same issue. I need to add the users to the vcoadmin group in SSO in order to get them access to the workflows.

I should have wrote back months ago. I finally figured it out. It had to do with fully qualified domain names and using that for authentication. We have a domain (domain.com for example) and some certificates were imported as just the server name, while others were imported with the FQDN. From my understanding, this affected how users would authenticate. Vcenter would think a user was a domain account while orchestrator was sending local accounts.

I eventually made my domain.com the default domain used for authentication in Vcenter and imported all certificates using the FQDN. Hope this helps!

hello, does anyone got an update on this?

I'd love to know aswell. I have the exact same issue. Do not believe that I have imported any certificates with shortnames. Only FQDN.

The root domain of our forest is set as default domain for the vCenters but still nothing shows up in the list.

Hey jogits

there seems to be a bug. I encountered that problem when I added the AD through the Windows Integrated Authentication which is new in 5.5 as Identity Source in SSO.

When I switched to AD as LDAP, it worked.

Either use this workaround if this is your problem as well or create a SR with VMware. They might provide a patch for your vCO.

Tim

Hello,

I opened up an support case and I was told that it is a bug in a special VCO build we were using. So I was told to replace some files on the VCO app and that solved the problem for me.

Hello weda

Thanks for the info. Will log an SR with VMware then. I am using the virtual appliance but that should still be possible to patch.

Tim Scheppeit we are using the IWA authentication but long story short - we started with vSphere 5.1 sso and AD over LDAP, did not work at all. Quickly upgraded to vSphere 5.5 to get IWA. Had initial problems with IWA and were advised by VMware to go back to AD over LDAP. Worked for a while, then AD groups no longer worked. Were advised by VMware to go to IWA and now it works. So I would hate to go back to LDAP again as it is a pain adding 23 domains via LDAP