VMware Cloud Community
badazws6
Enthusiast
Enthusiast
‎09-27-2013 05:04 AM

5.5 SSO AD Group Authentication

Lots of SSO discussion here...

Anyway, I seem to be having a slightly different problem than the others I have been seeing.  When I give admin rights to my vcenter instance to "domain admins", which my account is a direct member of, I can not log in.  When I give my domain admin account direct permissions to the vcenter instance I can log in no problem.

Anyway, my environment is 2008r2, everything is up to 2008 functional levels, vCenter is installed into a fresh 2008r2 instance.

Anyone else seeing this behavior?  Any suggestions?  I will be doing more testing.

MR

0 Kudos
7 Replies
badazws6
Enthusiast
Enthusiast
‎09-27-2013 05:22 AM

Ok, bumping around trying different things.  I removed my domain admins account from a the one group with a "_", with no love.  I noticed that account is a member of about half a dozen accounts that contain  "-".  I setup another account that is not a member of any of those "-" groups and added it to domain admins.  I get love on this new test account, it is not been assigned direct permissions. 

So I am learning at least my in my instance it appears there are issues with "-"'s in group membership for SSO accounts.  Is "-" non-ascii?  Researching that now.

So it appears I am having issues similar to the following thread.

https://communities.vmware.com/message/2293089#2293089

0 Kudos
badazws6
Enthusiast
Enthusiast
‎09-27-2013 05:26 AM

So it does appear that "-" is acii.  Another thought, my DA account is a member of 13 groups.  I wonder if I can break my test account by adding it to more groups?

0 Kudos
badazws6
Enthusiast
Enthusiast
‎09-27-2013 05:31 AM

Hmmm, so I added the test account to the same number of groups as well as adding it to a group that contains a "-".  It still works.  Maybe default group?

0 Kudos
badazws6
Enthusiast
Enthusiast
‎09-27-2013 05:35 AM

Ok, getting some love.  The test accounts primary group was set to "domain users", the DA account's primary group was set to "Domain Admins".  When I changed the DA's primary group to "domain users" it was able to log in.  So...  Still somewhat confused here, why should it matter?  What is the difference?

0 Kudos
badazws6
Enthusiast
Enthusiast
‎09-27-2013 05:53 AM

So, just for testings sake I made my DA account's primary group "domain admins" again.  I can still log in... 

I don't like problem resolutions that don't make sense and I can't replicate...  What am I missing here?

0 Kudos
dpomeroy
Champion
Champion
‎10-01-2013 01:49 PM

Im seeing this problem as well when AD is configured as "Windows Integrated - machine account". When I configure AD with SPN, I cannot add any users or groups as I get the "cannot load users from this domain" message. If I configure AD via the AD as LDAP method then we get the "client cannot authenticate with inventory service" error.

I don't have the solution (yet), but you are not alone, SSO 5.5 certainly has issues.

0 Kudos
amurrey
Enthusiast
Enthusiast
‎06-18-2014 06:21 AM

I'm having very similar problems.

5.5 SSO issue

0 Kudos