Lots of SSO discussion here...
Anyway, I seem to be having a slightly different problem than the others I have been seeing. When I give admin rights to my vcenter instance to "domain admins", which my account is a direct member of, I can not log in. When I give my domain admin account direct permissions to the vcenter instance I can log in no problem.
Anyway, my environment is 2008r2, everything is up to 2008 functional levels, vCenter is installed into a fresh 2008r2 instance.
Anyone else seeing this behavior? Any suggestions? I will be doing more testing.
MR
Ok, bumping around trying different things. I removed my domain admins account from a the one group with a "_", with no love. I noticed that account is a member of about half a dozen accounts that contain "-". I setup another account that is not a member of any of those "-" groups and added it to domain admins. I get love on this new test account, it is not been assigned direct permissions.
So I am learning at least my in my instance it appears there are issues with "-"'s in group membership for SSO accounts. Is "-" non-ascii? Researching that now.
So it appears I am having issues similar to the following thread.
So it does appear that "-" is acii. Another thought, my DA account is a member of 13 groups. I wonder if I can break my test account by adding it to more groups?
Hmmm, so I added the test account to the same number of groups as well as adding it to a group that contains a "-". It still works. Maybe default group?
Ok, getting some love. The test accounts primary group was set to "domain users", the DA account's primary group was set to "Domain Admins". When I changed the DA's primary group to "domain users" it was able to log in. So... Still somewhat confused here, why should it matter? What is the difference?
So, just for testings sake I made my DA account's primary group "domain admins" again. I can still log in...
I don't like problem resolutions that don't make sense and I can't replicate... What am I missing here?
Im seeing this problem as well when AD is configured as "Windows Integrated - machine account". When I configure AD with SPN, I cannot add any users or groups as I get the "cannot load users from this domain" message. If I configure AD via the AD as LDAP method then we get the "client cannot authenticate with inventory service" error.
I don't have the solution (yet), but you are not alone, SSO 5.5 certainly has issues.
I'm having very similar problems.