Last week i was phoned by a customer who was trying to setup an internal vCloud Automation Center (vCAC) 6.0 SP1 proof of concept (POC). First of all, i don’t think we should call these things POC anymore since the vCAC concept has been proven over and over again. Definitely worth using a different name i think.
Back to my customer call, before he started the POC i told him i usually set up a service account that can be used for the vCAC IaaS installation and connecting the vCAC components with vCenter Server. I usually creates an admin user account as well so we can separate the actions triggered automatically and manually.
My customer had problem configuring the Tenant Identity store and for those of you who have setup vCAC knows you need to specify a Login user DN during the configuration.
The active directory user account my customer tried to use for the Tenant Identity store configuration had the following setup (modified to fit the blog post):
- First Name: = Magnus
- Display Name: = Magnus
- user logon name: = xmagnus@vcdx56.com
- User logon name (pre-Windows 2000): = vcdx56xmagnus
Below is a figure showing the account in the Active Directory Users and Computers Microsoft Management Console (MMC) which actually shows the Full Name of the user account, also referenced as the common name (CN).
My customer tried to add the Identity store to the tenant using the xmagnus user name in the Login user DN configuration “cn=xmagnus,cn=users,dc=vcdx56,dc=com” and received the following error:
The vCAC Appliance catalina.out log file located in the directory /storage/log/vmware/vcac shows the following error:
2014-0X-0X XX:XX:XX,586 [tomcat-http–33] [authentication] INFO com.vmware.vcac.authentication.service.sso.impl.IdentityStoreManagementImpl.testConnection:387 – Connection to directory service can’t be established. URI=ldap://dc01.vcdx56.com.Reason:The provided credentials for authentication against LDAP server lldap://dc01.vcdx56.com are not valid.
I told my customer that he had to use the AD CN and when he changed the Login user DN form “cn=xmagnus,cn=users,dc=vcdx56,dc=com” to “cn=magnus,cn=users,dc=vcdx56,dc=com“, where magnus is the AD CN (name showed in the MMC) for the account, he could successfully add the Identity store.
To be on the safe side a be 100 % certain that the MMC display name is the AD CN i told my customer to run one additional test where he changed the user account CN to include a space in the MMC UI object:
Testing the Identity store connection using the below configuration succeeded as well:
“cn=magnus 1234,cn=users,dc=vcdx56,dc=com”
Yes it is a space included in the CN field since my AD account CN includes a space.
This means you have to use the AD account CN name, the CN that shows up in the Active Directory Users and Computers MMC , when configuring the Identity store connection no matter what the following user account settings says:
- First Name:
- Display Name:
- user logon name:
- User logon name (pre-Windows 2000):
2 pings