?
Solved

vCenter 5.5 SSO Issue - cannot add rights

Posted on 2014-10-30
5
Medium Priority
?
359 Views
Last Modified: 2014-11-06
Greetings,

We have 2 vCenters in a 4 node linked group that cannot have SSO permissions added to them. The servers do reside in a sub-domain of the root domain, but have the identity source showing as the root domain. When attempting to add users or groups to SSO rights (user/administrator), the AD search finds the user/group fine and looks like it will add, but does not. We've tried refreshing/logout-login/rebooting. Neither users/groups from the root or sub domains work.

 I have not found any articles specifically for this on the web or VMware's site.

Thanks in advance,
Rick
0
Comment
Question by:Virene
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 20

Accepted Solution

by:
compdigit44 earned 2000 total points
ID: 40422901
What OS are your vCenter servers also what is your vCenter build number?

Have you view the SSO logs for any errors?
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2033430
0
 

Author Closing Comment

by:Virene
ID: 40424604
Thanks for your response Compdigit44.
I got a response from VMware support - they said, "you will need to remove the xxx.com identity source as Integrated Windows Authentication, and add it back under AD over LDAP. Then, you can add the child domain as AD over LDAP as well."
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40425181
Interesting .. did they give an explanation WHY?
0
 

Author Comment

by:Virene
ID: 40426297
They did not explain. I questioned further and received this reply:
"One of the largest issues with AD over LDAP is that you have to hard code a domain controller for SSO to bind to. If that DC becomes unavailable, SSO cannot talk to AD. You cannot use a round-robin address either, it must be the name of an actual DC.

And, if the account used to authenticate to the DC changes (username, password) then the identity source must be updated before continuing to authenticate users.

The integrated windows authentication (IWA) is a much better option for most environments compared to AD over LDAP. Unless of course, you have the requirements that you thought you had.

Here's a link to the documentation about the different identity source options:
https://pubs.vmware.com/vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-1F0106C9-0524-4583-9AC5-A748FD1DC4C5.html"

So, for us, we will stick with Integrated authentication vs. LDAP and have to use a single service account to administer SSO on the vCenters from sub-domains.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40426419
good to know...

thanks
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
Teach the user how to rename, unmount, delete and upgrade VMFS datastores. Open vSphere Web Client: Rename VMFS and NFS datastores: Upgrade VMFS-3 volume to VMFS-5: Unmount VMFS datastore: Delete a VMFS datastore:
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question