Solved: vSphere permissions after installation

kgottleib · ‎06-09-2014

during the vCenter 5.5 installation I defined a domain group for SSO administration rather than the default administrator@vsphere.lcoal, can't remember the exact details of the screen and its options, but it asked me to associate a user \ group with SSO and then there is a check box that allows you to check "this is a group" which I checked..

After completing installation, as I expected, I could log right into vCenter using the web client with a domain account, yes, the option seems to have worked, because other installations I performed sticking with the default administrator@vsphere .local in the field I could only log on with this account.

Here is the problem, although I can use my domain account to log in with the web client, it doesn't work with the standard c# client...

Can someone please explain what this is about?? This really seems buggy to me...

I checked that the domain is an identity source, and it is, if not I don't see how I could have logged into vcenter via web client with out this.... yet I can't log in using the standard client

thanks in advance for helping get this ironed out.

a_p_ · ‎06-10-2014

The vSphere Client only seems to allow access based on the permissions of the inventory objects. The Web Client however authenticates against SSO (i.e. allows user access for all configured Identity Sources), but it will only show the inventory objects the user has permissions for.

André

View solution in original post

a_p_ · ‎06-09-2014

To be honest, I never tried the installation this way. However, assigning a user or group to the SSO Administrators doesn't mean you have permissions on vCenter Server objects in the inventory. Please try to set permissions on the vCenter Server object in the inventory and then try to login again from the Windows Client.

André

bayupw · ‎06-09-2014

Hi

First, check your vCenter object permission.

Go to vSphere Web Client > Home > vCenter > Host and Clusters > highlight the vCenter > Manage Tab > Permissions

Check which user/group has permission/access to the vCenter.

Then check your Identity Source & the default domain for vCenter SSO.

Login with administrator@vsphere.local > Go to vSphere Web Client > Home > Administration > Single-Sign On > Configuration

The default domain configuration will effect on how you use username to login (login behavior).

If the default domain is set for vsphere.local domain, then to login with vsphere.local accounts you do not need to specify the domain e.g. administrator@vsphere.local or vsphere.local\administrator. Just need to input administrator, but you will need to specify the domain name prefix for other domain that is not set for default domain.

See below documentation.

vSphere 5.5 Documentation Center - Set the Default Domain for vCenter Single Sign-On

Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the default domain must include the domain name when they log in.

When a user logs in to a vCenter Server system from the vSphere Web Client, the login behavior depends on whether the user is in the default domain.

■ Users who are in the default domain can log in with their user name and password.

■ Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the default domain can log in to vCenter Server but must specify the domain in one of the following ways.

■ Including a domain name prefix, for example, MYDOMAIN\user1

■ Including the domain, for example, user1@mydomain.com

■ Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not.

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

kgottleib · ‎06-10-2014

Let me state again -

Forget about the above - I should have simplified this:

After installation of vCenter 5.5 - regardless of how I defined the SSO administration, whether I used simply administrator@vsphere.local, or whether I placed my domain group in the field and checked the box "this is a group" - the RESULTS were exactly the same:

I can log into web client with domain account immediately after installation without modifying anything (why? because I installed vcener with domain account and checked to box to add the domain as an identify source, this is by design), but when using the C# client I can only log in with the administrator@vsphere.local. This doesn't seem like its by design..

What I'm experiencing would indicate that there is a lack of integration pertaining to permissions with v5.5...

Can you confirm this??

a_p_ · ‎06-10-2014

The vSphere Client only seems to allow access based on the permissions of the inventory objects. The Web Client however authenticates against SSO (i.e. allows user access for all configured Identity Sources), but it will only show the inventory objects the user has permissions for.

André

kgottleib · ‎06-10-2014

Thanks Andre - glad I'm not going F'in crazy here... and even happier that my installation isn't corrupt. This information is good for everyone who still clings to the C# client in hopes VMware resurrects it. and again, it is always good to have you chime in on posts, you d man around vtown!

All

vSphere permissions after installation