Solved

vCenter 5.5 SSO Issue - cannot add rights

Posted on 2014-10-30
5
337 Views
Last Modified: 2014-11-06
Greetings,

We have 2 vCenters in a 4 node linked group that cannot have SSO permissions added to them. The servers do reside in a sub-domain of the root domain, but have the identity source showing as the root domain. When attempting to add users or groups to SSO rights (user/administrator), the AD search finds the user/group fine and looks like it will add, but does not. We've tried refreshing/logout-login/rebooting. Neither users/groups from the root or sub domains work.

 I have not found any articles specifically for this on the web or VMware's site.

Thanks in advance,
Rick
0
Comment
Question by:Virene
  • 3
  • 2
5 Comments
 
LVL 19

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 40422901
What OS are your vCenter servers also what is your vCenter build number?

Have you view the SSO logs for any errors?
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2033430
0
 

Author Closing Comment

by:Virene
ID: 40424604
Thanks for your response Compdigit44.
I got a response from VMware support - they said, "you will need to remove the xxx.com identity source as Integrated Windows Authentication, and add it back under AD over LDAP. Then, you can add the child domain as AD over LDAP as well."
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40425181
Interesting .. did they give an explanation WHY?
0
 

Author Comment

by:Virene
ID: 40426297
They did not explain. I questioned further and received this reply:
"One of the largest issues with AD over LDAP is that you have to hard code a domain controller for SSO to bind to. If that DC becomes unavailable, SSO cannot talk to AD. You cannot use a round-robin address either, it must be the name of an actual DC.

And, if the account used to authenticate to the DC changes (username, password) then the identity source must be updated before continuing to authenticate users.

The integrated windows authentication (IWA) is a much better option for most environments compared to AD over LDAP. Unless of course, you have the requirements that you thought you had.

Here's a link to the documentation about the different identity source options:
https://pubs.vmware.com/vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-1F0106C9-0524-4583-9AC5-A748FD1DC4C5.html"

So, for us, we will stick with Integrated authentication vs. LDAP and have to use a single service account to administer SSO on the vCenters from sub-domains.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40426419
good to know...

thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now