VMware Cloud Community
bhoriuchi
Enthusiast
Enthusiast
‎12-13-2013 10:07 AM

vCAC 6 - unable to use AD user accounts with commas

We are currently having an issue with authenticating to vCAC 6 with AD accounts that have commas. My theory is that this is because the commas are escaped in ldap. Using accounts that have no commas or special characters we are able to get in with no problem.

Is there any one else that has observed this same issue or has a fix? In the first build of the beta I also saw this and in the second build of the beta it was a 401 error.

The login just goes to the sso server and keeps recycling on this page.

a-ssoerror.PNG

0 Kudos
4 Replies
bhoriuchi
Enthusiast
Enthusiast
‎12-16-2013 10:45 AM

Upon further inspection into the logs i have determined that it is not escaped characters causing the issue. it is actually when the active directory UserPrincipalName attribute in AD is different from the user login.

for example our user ids are number based but out email addresses are based on first and last name so i might have the login 11111@site.domain.com with an email address of bhoriuchi@domain.com and the UPN has the value of my email address. the logs show the identity server getting confused by this (real email and username replaced to protect the innocent)

[2013-12-16 17:45:57,533 vsphere.local 3c58c4d8-6777-4eed-99dc-ec712cfc64ac INFO ] [IdentityManager] Authentication succeeded for user [11111@site.domain.com] in tenant [vsphere.local] in [36] milliseconds

[2013-12-16 17:45:59,138 vsphere.local 8da0d76f-e48d-4b1a-b2a8-efeb08848105 ERROR] [IdentityManager] Failed to find user [bhoriuchi@domain.com] for tenant [vsphere.local]


short of changing the UPN on the AD account, are there any other work around?

0 Kudos
bhoriuchi
Enthusiast
Enthusiast
‎12-16-2013 11:10 AM

Using a native AD identity store seems to have resolved the issue. but since you can only use native on the default tenant this bug should still be addressed.

0 Kudos
Craig_G2
Hot Shot
Hot Shot
‎12-24-2013 02:33 AM

Hey,


My work around for this is to put your UPN in the domain alias field. For Example:

Domain: ad.contoso.com

Domain Alias: live.contoso.com

The version of SSO is older too, so not the polished 5.5 version. Apparently next year they plan to allow integration with vCenter SSO.. which will be nice.

I've logged the issue with VMware support and they have passed my work around on to the engineering team to see if it's OK.. I don't see another way round though.

Thinking about trying out native AD auth too as we will only ever need one tenant.

Cheers

bhoriuchi
Enthusiast
Enthusiast
‎12-24-2013 07:27 AM

eatVM,

I tried this, but since our user accounts are employee id numbers and our emails addresses are based on our first name/last name the user@domainalias still mis-matches and causes the same issue. The only fix I have found is to use native AD (which still causes an issue with some accounts) or change the UPN to match user@domain.

0 Kudos