Lost ability to login with AD after vCenter 5.5 up...

BWollenzien · ‎04-21-2014

Okay, now this is confusing me. This is the second time this has happened (two different upgrades/environments).

I had upgraded from 5.1 to 5.5, and in both cases, after vCenter (simple install/upgrade that does all the required stuff) was upgraded, I could no longer log into vCenter with my domain admin account. I had to use the default (local) account, administrator@vsphere.local. After logging in to the web client, I could see that under -> Administration -> Single Sign On -> Configuration -> that my domain WAS listed there as AD Integrated. So all I had to do was select my vCenter service and go to the permissions tab, then Add in Domain Admins to the administrator role and make sure its applied down to the children. Doing this allows me to login to the vSphere Client or Web Client with a domain admin account.

Question is, if the AD stuff was working prior to 5.5 upgrade, why is 5.5 breaking it? Twice this has happened for me now in two different VMWare environments. Is that part of the upgrade just broke or something?

Regards.

GMCON · ‎04-21-2014

Here is what I have found with admins running into this problem. Pre 5.5 SSO used the Local Administrators group on the server to grant rights and a lot of people just used that for the Domain Admins. As the Domain Admins is normally part of the local computer Admins group no one explicity adds it in vCenter as Administrator. The nested groups of the local Admins is no longer recognized and does not work. Hence why you had to add it in. Here is a blog post on the issue.

vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups | VMware vSphere Blog - VM...

All

Lost ability to login with AD after vCenter 5.5 upgrade