vCenter

Hi all,

I am seeing a strange issue that I feel is easy to solve but I don´t recall how to do it.

vCenter 7.0 latest build

I have added the vCenter to an AD domain

Then I added the Identity Source as IWA

Now when I try to add a permission and I select the domain name (in the dropdown box), when I type in the name of an AD user group, it does not resolve.

I have tried with various group names and user accounts and they do not resolve either.

Has anyone seen this behavior before and can tell me how to resolve it (maybe not using IWA)?

I already tried removing the identity source and leaving the domain then redoing it again but same result.

Regards

Hey Hocshop​,

I know it is a silly question but have you restarted vCenter afted joined it to the domain? It is needed for the search to work.

If you did that please also check inside the Active Directory if you can see the computer object populated and make sure there is no GPO applying restrictions. However if you have the computer account but you are applying GPOs please for testing create a new OU without any GPO applied to it and re-join the vCenter again but this time specifying the new OU Path.

Hi Lalegre

Thanks for the reply.

I had doubts about the user account too.

What I am going to try is the following:

1) Add the identity source again but this time as AD over LDAP instead of IWA (I read that VMware is moving away from IWA in future releases anyway)

2) Try a different user account or move the existing user account to another OU.

I will also take into account what you mentioned.

Regards

Update,

I think I found the source of the problem.

I just found out that the domain functional level that they are using is at Win 2008 level.

That is not compatible with vCenter 7.0 and is not even supported by Microsoft anymore.

Here is the AD compatibility matrix just in case anyone else needs to find it:

VMware Knowledge Base

I hope that helps someone else.

Regards