Solved

vCenter 5.5 SSO Issue - cannot add rights

Posted on 2014-10-30
5
348 Views
Last Modified: 2014-11-06
Greetings,

We have 2 vCenters in a 4 node linked group that cannot have SSO permissions added to them. The servers do reside in a sub-domain of the root domain, but have the identity source showing as the root domain. When attempting to add users or groups to SSO rights (user/administrator), the AD search finds the user/group fine and looks like it will add, but does not. We've tried refreshing/logout-login/rebooting. Neither users/groups from the root or sub domains work.

 I have not found any articles specifically for this on the web or VMware's site.

Thanks in advance,
Rick
0
Comment
Question by:Virene
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 20

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 40422901
What OS are your vCenter servers also what is your vCenter build number?

Have you view the SSO logs for any errors?
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2033430
0
 

Author Closing Comment

by:Virene
ID: 40424604
Thanks for your response Compdigit44.
I got a response from VMware support - they said, "you will need to remove the xxx.com identity source as Integrated Windows Authentication, and add it back under AD over LDAP. Then, you can add the child domain as AD over LDAP as well."
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40425181
Interesting .. did they give an explanation WHY?
0
 

Author Comment

by:Virene
ID: 40426297
They did not explain. I questioned further and received this reply:
"One of the largest issues with AD over LDAP is that you have to hard code a domain controller for SSO to bind to. If that DC becomes unavailable, SSO cannot talk to AD. You cannot use a round-robin address either, it must be the name of an actual DC.

And, if the account used to authenticate to the DC changes (username, password) then the identity source must be updated before continuing to authenticate users.

The integrated windows authentication (IWA) is a much better option for most environments compared to AD over LDAP. Unless of course, you have the requirements that you thought you had.

Here's a link to the documentation about the different identity source options:
https://pubs.vmware.com/vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-1F0106C9-0524-4583-9AC5-A748FD1DC4C5.html"

So, for us, we will stick with Integrated authentication vs. LDAP and have to use a single service account to administer SSO on the vCenters from sub-domains.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40426419
good to know...

thanks
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question