Veers
Contributor
Contributor

Cannot use group with user from another domain

Hi,

Just after updating my vSphere system to 5.1 (from 5.0), I notice some strange think with users and groups. Here my setup:

2 domains : let say Domain A and Domain B.

Domain B have a one way trust relationship with domain A. In short, we wan to be able to use Domain A login on domain B.

All my vSphere are on domain B. I have SSO / vCenter server and a Web client. I also create a groupe name VC-Administrators on Domain who contain user from Domain A.

In 5.0, no trouble, all my admin can log with domain A credential.

In 5.1, nothing is working... I add both domain in SSO configuration. My domain A user can log in web client, but they didn't see any vCenter.

BUT, if I put a domain A user directly as a vCenter administrator, it's working.

So, somewhere something doesn't see users from domain A if they are in a group in domain B. User on domain A in domain A works great and B in B also...

I also try a fresh install, same result.

any idea?

Thank you,

Ben

Tags (2)
0 Kudos
3 Replies
ramkrishna1
Enthusiast
Enthusiast

Hi Veers,

Welcome to the communities.

Again trust relation ship come to role and they are working on there home domain .

If trust relation ship ok then  check some firewall and service are running in suto mode .

"concentrate the mind on the present moment."
0 Kudos
Veers
Contributor
Contributor

I'm not sure what your asking but my trust is working (I can log with a domain A user on a domain B computer).

I try today to add a SSO group with domain A user and use this group for permission and this is working...

So, I will stay with that solution for now, unless someone have another idea.

Thank!

0 Kudos
benbjamin24
Enthusiast
Enthusiast

Hey Ben,

We had this exact same problem and were able to work around by changing the LDAP query in SOO to only query the users OU and not the whole directory.   We also saw faster lookups for assigning permissions and logging in. 

Ben VCP
0 Kudos