Fresh build and installation of vCenter 6u1. Single AD environment. Basic setup of nodes migrated from working and existing vCenter 6 (windows installation) into this new installation (aka AD works and is working with other vCenter 6 still).
Setup was per guide i found online + made my own notes:
##################
Now Join system authentication to AD and set permissions:
http://wojcieh.net/vcenter-server-appliance-6-vcsa-configuration/
Input Domain Details: Example "ibm.aessatl.arrow.com"
Test
Assign "IBM\Domain Admins" to top level rights of vCenter
Global Permissions -> "+"
Select group "domain admins"
Add
Set Permission for vCenter based on same steps above
Now set the SSO permission for the appliance
vCenter Home -> Administration ->Manage
################
When I login, I get "no inventory"
When I add a user from AD it give me rights (aka AD working), so it is some kind of group permission issue.
Nothing I see in logs to guide to help debug this. Any ideas?
Thanks,
Accepted Solutions
After several attempts.. reloading .. using test systems.. I figured out the way to get it to work.
You have to get the vCenter server to join AD.. not just add AD as an authentication source.
Example:
1) Remove all current AD / LDAP sources and assigned permissions first
2) Join vCenter appliance to AD
Login to vCenter via SSO administrator account -> Home -> Administration (left menu) -> Deploy (left menu) -> System Configuration
Select "node" which should list the vCenter server -> Manage (tab on top) -> Advanced -> Active directory -> Choose button "Join"
Input settings for domain (leave organizational unit blank for most customers) and input "domain admin" user who can join systems to domain
Task will run and not nothing intelegent.. but no error means success event though java does not refresh that it is now in domain.
Reboot vCenter. Login again as administrator SSO account and view that the vCenter host is in the domain.
You can also show that the vCenter server is a host in AD as a computer object (Activedirectory Users and computers -> OU "Computers")
Now return to add the AD as authentication source
Home -> Administration (left menu) ->Single Sign-on (left menu) -> Configuration -> click "+" to add new source
Choose top option of AD and change no other settings
Last step is to add Group "Domain Admins" from domain to be member of role "Administrators" of vCenter.
Now when you login as "ibm\jsmith" you should see objects and have permissions.
Hope this helps someone.
After several attempts.. reloading .. using test systems.. I figured out the way to get it to work.
You have to get the vCenter server to join AD.. not just add AD as an authentication source.
Example:
1) Remove all current AD / LDAP sources and assigned permissions first
2) Join vCenter appliance to AD
Login to vCenter via SSO administrator account -> Home -> Administration (left menu) -> Deploy (left menu) -> System Configuration
Select "node" which should list the vCenter server -> Manage (tab on top) -> Advanced -> Active directory -> Choose button "Join"
Input settings for domain (leave organizational unit blank for most customers) and input "domain admin" user who can join systems to domain
Task will run and not nothing intelegent.. but no error means success event though java does not refresh that it is now in domain.
Reboot vCenter. Login again as administrator SSO account and view that the vCenter host is in the domain.
You can also show that the vCenter server is a host in AD as a computer object (Activedirectory Users and computers -> OU "Computers")
Now return to add the AD as authentication source
Home -> Administration (left menu) ->Single Sign-on (left menu) -> Configuration -> click "+" to add new source
Choose top option of AD and change no other settings
Last step is to add Group "Domain Admins" from domain to be member of role "Administrators" of vCenter.
Now when you login as "ibm\jsmith" you should see objects and have permissions.
Hope this helps someone.