Solved: VCSA 6 and AD intergration

MrST · ‎04-29-2015

Hi All,

I have build my first vcenter 6 appliance and i am having issues resolving users in the AD Domain. I have sucessfully been able to join the Domain and have created the PTR record for reverse look up but i still get "cannot load users from selected domain" when trying to add a group or user to global permissions

Any Ideas?? all help will be appricated.

Thanks

Sunny

npadmani · ‎05-11-2015

if you are able to login using AD credential in vSphere Client

but same thing is not happening in web client then it's identity source which is not reachable by SSO IDM.

Try to re-add AD identity source by creating SPN as described in following KB article

VMware KB: Creating and using a Service Principal Account in vCenter Single Sign-On 5.5

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

View solution in original post

npadmani · ‎04-29-2015

you got to also add your AD domain as an Identity Source within SSO.

have you done that?

if not, please find more info about how to do that on following vsphere 6 documentation link

vSphere 6.0 Documentation Center

Message was edited by: Narendra Padmani

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

MrST · ‎04-29-2015

Hi Narendra,

Yes i have assed the Domain to Identity source. I am able to log in to VCSA with domain credentials but no permissions to do anything. i can see the domain in the drop down list and when selected i get the error "cannot load users from selected domain"

Thanks

Nithy07cs055 · ‎04-29-2015

okay, try adding an local users first and grant the user administrator privilege, login using that than give it a try

Thanks and Regards, Nithyanathan R Please follow my page and Blog for more updates. Blog : https://communities.vmware.com/blogs/Nithyanathan Twitter @Nithy55 Facebook Vmware page : https://www.facebook.com/Virtualizationworld

npadmani · ‎04-29-2015

Let's say you logged on into web client using SSO admin account called administrator@vsphere.local

then you added an identity source (let's say your ad domain is abc.com)

now be within same SSO admin account, and try to assign permission on vCenter inventory to user/group accounts from abc.com

Now you are ready to login in vSphere web client using that abc.com user account, and you will be able to work.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

npadmani · ‎04-29-2015

if it keeps telling you that 'cannot load user or group accounts' from the identity source.

Please delete identity source from SSO, and re-create it.

have you added AD as Integrated Authentication or Ad over LDAP?

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

MrST · ‎04-29-2015

Hi

i have install AD as integrated service. i will try deleting identity service and re-add it

strange point is vSphere works with domain accounts (AD Domain) but web client doesnt

MrST · ‎04-29-2015

Deleted Identity Source and re added and this made no difference

npadmani · ‎04-29-2015

Please take a screenshot of the activity you are trying to do, let me have a quick look into it.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

MrST · ‎05-11-2015

Hi Sorry i have been away for a week.

I have got further, i can login using AD Auth via the vSphere Client but not via the Web UI. What logs or screenshot would you like?

Thanks

Sunny

npadmani · ‎05-11-2015

if you are able to login using AD credential in vSphere Client

but same thing is not happening in web client then it's identity source which is not reachable by SSO IDM.

Try to re-add AD identity source by creating SPN as described in following KB article

VMware KB: Creating and using a Service Principal Account in vCenter Single Sign-On 5.5

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

MrST · ‎05-12-2015

Perfect... It seems that Machine Authentication doesnt work in VCSA 6 you need to use the SPN method