VMware Cloud Community
pecek
Contributor
Contributor

5.5 - authentication problem with AD DS

Hi,

i've just installed VCA 5.5, added to AD DS domain with appliance menu. Then after logging to Web Client i tried to add Identity Source with my domain (AD Integrated Windows Authentication). Using machine account or later with SPN.

After adding domain I've switched to Users and Groups and then tried to add AD group to Administrators. But when doing it in Add Principals (switched to AD DS domain) i get empty list and error: "Cannot load users for the selected domain.".

I've even tcpdump communication betwen vCenter and AD DS domain controler and what i can see is:

  0050: 3030 3034 4443 3a20 4c64 6170 4572 723a  0004DC: LdapErr:

  0060: 2044 5349 442d 3043 3039 3036 4444 2c20   DSID-0C0906DD,

  0070: 636f 6d6d 656e 743a 2049 6e20 6f72 6465  comment: In orde

  0080: 7220 746f 2070 6572 666f 726d 2074 6869  r to perform thi

  0090: 7320 6f70 6572 6174 696f 6e20 6120 7375  s operation a su

  00a0: 6363 6573 7366 756c 2062 696e 6420 6d75  ccessful bind mu

  00b0: 7374 2062 6520 636f 6d70 6c65 7465 6420  st be completed

  00c0: 6f6e 2074 6865 2063 6f6e 6e65 6374 696f  on the connectio

  00d0: 6e2e 2c20 6461 7461 2030 2c20 7631 3737  n., data 0, v177

  00e0: 3200                                     2.

What's wrong? How can i set it up?

Regards,

p.

20 Replies
abhilashhb
VMware Employee
VMware Employee

Its says successful bind must be performed. Did you specify the Base DN and other things properly?

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

Reply
0 Kudos
pecek
Contributor
Contributor

No, I can't. How can I do this in Active Directory (integrated Windows Authentication)?

Document which I used to configure it: http://www.vladan.fr/vcsa-5-5-installation-configuration-part-2/

Of course, I know that I can set AD DS with the second option (LDAP), but I want to have done it like on the link.

Regards,

p.

Reply
0 Kudos
admin
Immortal
Immortal

Hi,

Please follow the steps below to properly configure vcva with AD and add the AD as an Active Directory using Windows Authentication using the machine account:

Requirements:
A. Configure Networking, Please refer to "First start of virtual Applicance" section in  https://www.vmware.com/support/developer/studio/studio26/va_user.pdf
B. Use likewise binary to try looking up SRV records.
/opt/likewise/bin/lw-get-dc-name <your_domain_name>

Process:
1. Fresh deployment of VCVA.
2. Open VAMI at port 5480.
3. Configure Likewise under vCenter Server -> Authentication. Bind the VCVA machine to the domain using Administrator credentials.  UI says you need a restart to take effect, but it doesn't actually.
4. Login to VCVA WebClient port 9443 as administrator@vsphere.local / vmware
5. Go to Administration -> Configuration
6. Add identity source.
7. Pick Use Machine Account.
8. Domain from step 3 should be automatically selected.
9. Select Active Directory (integrated Windows Authentication).
10. Open Users and Groups
11. Select domain from dropdown
12. See list of users.

I will try to update if there is a an official kb document available.

Thanks

Srinu

pecek
Contributor
Contributor

That's exactly what I've done. Step by step and still the same problem. Smiley Sad

vcenter2:~ # /opt/likewise/bin/lw-get-dc-name my.domain.com

Printing LWNET_DC_INFO fields:

===============================

dwDomainControllerAddressType = 23

dwFlags = 12796

dwVersion = 5

wLMToken = 65535

wNTToken = 65535

pszDomainControllerName = DC2.my.domain.com

pszDomainControllerAddress = 10.123.5.21

pucDomainGUID(hex) = 34 DC 27 8B 03 FA B4 4B A0 89 AE 84 29 29 4E A3

pszNetBIOSDomainName = BM

pszFullyQualifiedDomainName = my.domain.com

pszDnsForestName = my.domain.com

pszDCSiteName = Default-First-Site-Name

pszClientSiteName = Default-First-Site-Name

pszNetBIOSHostName = DC2

pszUserName = <EMPTY>

Reply
0 Kudos
OscarDavey
Hot Shot
Hot Shot

Hello, Try to disjoin from domain(remove Active Directory Roles), then join again and then try to dot it again. Hope will help.

Your Oscar

Reply
0 Kudos
iamsiju
VMware Employee
VMware Employee

Hope DNS resolution is proper in Appliance for DC machine and vice versa. Also noticed  that "pszUserName = <EMPTY>". Shouldn't it be Domain User/Administrator account ?name?

**if you found this or any other answer useful, please consider allocating points for helpful or correct answers**
Reply
0 Kudos
dpomeroy
Champion
Champion

Just wanted to say Im having the exact same problem. You are not configuring it wrong, something is not working right. Adding our domain as "AD as LDAP" gives me a different set of errors. So far Im not impressed with the new and improved SSO 5.5. I've had an SR open for about a week now, I'll update this if they find out what is going on.

Reply
0 Kudos
azn2kew
Champion
Champion


I am not using vCenter 5.5 appliance, but I have fresh installed of vCenter 5.5 and I am also having issues login with my AD credential?  I can only logged in to vcenter server using web client administrator@vsphere.local account, so I tried to add mydomain.local to the web client console as default Identity source, and able to add my groups/users to vCenter permission tab, but I still not able to connect using any accounts I added on vcenter permission.

Anyone know if SSO 5.5 has a bug on authentication AD or something that needs to be done?  I this point I can only manage it using default account administrator@vsphere.local apparently this is in a lab before migrate to production so this is expected for POC/RD/TEST lab.

Thanks in advance.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
azn2kew
Champion
Champion

I still not able to resolved with fresh installed of vcenter 5.5, but I've tried loaded vcenter 5.5 appliance, and did the same procedure, added mydomain.local to identity source and set as default and added my mydomain\username and I was able to login with AD credential but still not fresh installed vcenter 5.5 server.

Do we know if this is a known bug or something what makes it not able to authenticate?  Anyone experience the same issue or no...if not, can u tell me u're doing just fine without any issue with fresh installed?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
a_p_
Leadership
Leadership

I'm currently aware of two issue related to AD authentication. For both of them, VMware provides a workaround/solution in the KB.

http://kb.vmware.com/kb/2060873

http://kb.vmware.com/kb/2060901

André

Reply
0 Kudos
azn2kew
Champion
Champion

Thanks A.P.

The KB article on Windows 2012 SSO 5.5 indeed is the problem, and followed the instruction to replace the new IDM.dll file provided in the article proved to fixed the problem.  But you will need to restart the vCenter 5.5 server in order for this to work, because in the kb doesn't work I have to reboot it and able to login.

Perhaps it could take times for AD/replication whatever the need is longer, but if doesn't work just reboot your vcenter and it should be fix.

Thanks again.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
PetrosPatalas
Contributor
Contributor

Please try to follow the KB article below and create PTR record for your domain controller:

Troubleshooting Single Sign-On and Active Directory domain authentication with the vCenter Server Appliance (2033742)

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203374...

OscarDavey
Hot Shot
Hot Shot

Did you manage to remove and re-join to the domain?

What was the outcome?

Reply
0 Kudos
peter_dyer123
Contributor
Contributor

I had the same problem - PTR record was the issue for me (see troubleshooting KB).

Reply
0 Kudos
Rlance
Contributor
Contributor

Hello All,

I had the same issue when I created my lab environment.  Peter_dyer123 is absolutely right and what the KB does not mention is that an Active Directory DNS out of the box does not create a reverse lookup zone.  It is not needed to run AD but some applications (like VCSA) need it. No reverse lookup means no PTR record.  Do not create a PTR in the forward lookup DNS zone, that is bad form.

Create a reverse lookup using this link:

Adding a Reverse Lookup Zone

once you have done that you'll need to specify your NetworkID (during zone creation).  For basic installs, this is the same subnet that your AD\DNS is in. (NOT subnet mask)

Once completed you may need to manually add the PTR record of your Active Directory server into the reverse lookup zone.  In theory you shouldn't BUT I needed to do this to get it working.

Let me know if helps others.

-Ryan

abdullahmukadam
Contributor
Contributor

I was having the same issue.

After checking the DNS entries, i found there was no PTR record pointing to the AD server in the Reverse Lookup Zone.

I manually added a entry in in the Reverse Lookup Zone, pointing to AD Hostname and this error "cannot load users from selected domain" in sso was gone and i was able to see the users.

Hope this helps.

Abby

Reply
0 Kudos
ronmanu07
Enthusiast
Enthusiast

Hi All,

I'm also having this issue, I'm getting intermittent errors of the server taking too long to respond and not having permissions. It all worked fine for about 6 hours and has broken again...

Reply
0 Kudos
RoadRunnr
Contributor
Contributor

I did work for me on vCSA 5.5.0a and the upgrade to 5.5.0b broke it.

DNS PTR is set up, lw-get-dc-name looks ok, but sso log shows strange errors:

vmware-sts-idmd.log:

2014-01-20 09:21:21,947 WARN   [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 1 2014-01-20 09:21:21,947 ERROR  [LinuxLdapClientLibrary] Exception when calling ldap_one_paged_search: base=DC=tpip,DC=org, scope=2, filter=(objectClass=user), attrs=[Ljava.lang.String;@413249b, attrsonly=0, sizelimit=0 com.vmware.identity.interop.ldap.OperationsErrorLdapException: Operations error LDAP error [code: 1]   at com.vmware.identity.interop.ldap.LdapErrorChecker$1.RaiseLdapError(LdapErrorChecker.java:32)   at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)   at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.CheckError(LinuxLdapClientLibrary.java:781)   at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.ldap_one_paged_search(LinuxLdapClientLibrary.java:565)   at com.vmware.identity.interop.ldap.LdapConnection$5.call(LdapConnection.java:635)   at com.vmware.identity.interop.ldap.LdapConnection$5.call(LdapConnection.java:632) ...

AD is Windows 2012 R2

Reply
0 Kudos
Michelle_Laveri
Virtuoso
Virtuoso

I had this problem to. Clean deployment of vCenter 5.5b. It wasn't the PTR record issue. It was a clean up of AD issue. I've had a number of vcnj.corp.com instances over time, and I had bum computer objects in AD - referring to VCNJ that was from a previous life.

Resolution. I blew away the old computer objects - removed the vCSA authentication - and then re-added to it a domain. Success...

Regards

Mike

Regards
Michelle Laverick
@m_laverick
http://www.michellelaverick.com
Reply
0 Kudos