VMware Cloud Community
MikeErter
Enthusiast
Enthusiast
‎05-21-2014 11:22 AM

vCenter 5.5 Permissions, Active Directory Groups and Single Sign-on

Hi VMware community,

I've seen something odd with nesting Active Directory groups and using nested groups to grant access (via Roles defined in vCenter) to objects in Inventory.

Is this an issue with vSphere 5.5 Single Sign-on or have I just (likely) done something wrong?

Basically it just seems like nested groups do not work.  I use a single AD group, add users to it, configure that AD group with permissions to an object in Inventory and that works fine.

This is with vCenter 5.5 and Single Sign-on with Active Directory as the default Identity Source.

Thanks for any advice!

0 Kudos
5 Replies
peetz
Leadership
Leadership
‎05-21-2014 11:34 AM

Hi Mike,

can you please elaborate on your setup and describe the issue in as much detail as possible.

What kind of AD groups (Domain Local, Global, Universal) are you using? Does your setup involve multiple domains or forests. If yes what kind of trusts are between them?

In the meantime please check if this article could be related to your issue VMware KB: vCenter Server not listed in the inventory after installing or upgrading to vSphere 5.5

Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos
MikeErter
Enthusiast
Enthusiast
‎05-21-2014 12:49 PM

Hi Andreas,

I was trying this with a single AD Forest and using Universal Security Groups nested inside of other Universal Security Groups.

Is that incorrect?

Thanks

0 Kudos
MikeErter
Enthusiast
Enthusiast
‎05-21-2014 12:52 PM

BTW I just read the KB and I am not using nested groups from dissimilar Identity Sources.

0 Kudos
peetz
Leadership
Leadership
‎05-21-2014 11:47 PM

Hi Mike,

This is allowed and should work.

You will need to file a support request with VMware to get this sorted out.

Please reply back to this thread if you find a solution for this.

Thanks

Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos
peetz
Leadership
Leadership
‎05-21-2014 11:55 PM

Although this should work you may also try to put the users in Global groups, and the Global groups into Domain Local groups. Then assign the vCenter permission to the Domain Local groups.

I think this is general best practice for AD group nesting (unless you also want to use the groups as Distribution Lists).

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos