Blog post updated 2014-03-26:
Today i received a message from VMware Product Engineering telling me that the default behavior in vSphere 5.5 is to entering the full child domain before the username meaning this was expected.
However, i have encountered that if you type the entire child domain name before the userid (in my case xy.vcdx56.commagnus) once you can login using only vcdx56userid (in my case vcdx56magnus) after that:)
It is possible to make a change to the file defaultdomain.ldif making the child domain the default domain in SSO but i will not get into this right now since i haven’t tried it myself.
Original blog post
After upgrading one of my customers vSphere 5.1 environment to vSphere 5.5 the other week, before vSphere 5.5 U1 was released, i ran into an vCenter Server permission problem.
I have written a blog post about pretty much the same behavior which you can find here, but unfortunately the nested group structure was not used this time.
However, i got the same result as described in the other blog post. When trying to log on the vCenter Server using the vSphere Web Client the inventory was completely blank.
When trying to log on the vCenter Server using the vSphere Client i received the following error:
This means the user trying to login gets authenticated by the Active Directory (AD) via SSO. This is what is shown in the vCenter Server log file, vpxd-xxxx.log:
2014-03-XXT11:27:26.609+01:00 [00668 info ‘Default’ opID=4307eaa2] [VpxLRO] — ERROR task-internal-186801 — — vim.SessionManager.impersonateUser: vim.fault.NoPermission:
–> Result:
–> (vim.fault.NoPermission) {
–> dynamicType = <unset>,
–> faultCause = (vmodl.MethodFault) null,
–> object = ‘vim.Folder:group-d1’,
–> privilegeId = “System.View”,
–> msg = “”,
–> }
–> Args:
–>
Fortunately i could logon using both admin@system-domain and the new vSphere 5.5 vCenter Single Sign On (SSO) account administrator@vsphere.local. Yes i usually add these accounts as vCenter Server Administrators.
We were still, as in vSphere 5.1, using the “Active Directory (Integrated WindowsAuthentication)” SSO configuration option for the Identity source.
The users are located in the xy.vcdx56.com domain and not in the ab.vcdx56.com domain as you might think since the SSO Identity Source point to ab.vcdx56.com.
The Windows based virtual machine running the vCenter Server and its additional components has never been joined to the ab.vcdx56.com domain, it has always been joined to the xy.vcdx56.com domain.
I did try to alter the identity source to the default domain but it didn’t solve my problem.
Another thing i tried was to change the SSO Identity store information to use the option “Active Directory as a LDAP Server” option and manually connect to the xy.vcdx56.com domain. Even thug i could successfully made a connection and the configuration was accepted it didn’t solve our problem.
This sounds very similar to the problem described in VMware KB article 2037410 but it’s not. Another thing is that the configuration worked in vSphere 5.1 but not now in vSphere 5.5.
We are using the following vCenter Server permission structure:
- Active Directory Users are added to vCenter SSO Groups and the vCenter SSO Groups are added to vCenter Server
The solution to our problem was to use the following structure of the user name when logging in:
- xy.vcdx56.comuserid or userid@xy.vcdx56.com
VMware is informed about the problem and i’ll update this blog post when/if a fix is released or a statement presenting this as the vSphere 5.5 default behavior.
91 pings
Skip to comment form ↓