changing from IWA to AD over LDAP

YapKY · ‎05-12-2022

recently I have changing IWA to AD over LDAP , I notice we have some problem granting access to domain universal group.

root.com
a.root.com --> UG-VMadmin
b.root.com
c.root.com
we have a universal group(UG-VMadmin) reside on a.root.com and contain users from a.root.com and b.root.com
I notice users from a.root.com have no problem to logon to vcenter, but all my users from b.root.com having problem to logon to vcenter.
Just want to find out if this configuration is supported in vSphere SSO ?

MorganJ · ‎05-18-2022

We had similar issues when we deployed Identity director as part of VCF 4.2 this last year. For us, we ended up having to create an LDAP connector to each of our 2 domains. Thankfully, we only had 2 of them, so it wasn't a huge hardship. Additionally, we are only using VMWare Identity for our IT team to use with federation and NSX, so duplicating groups in each domain wasn't that much of an issue. Please reply if you find a better way to leverage the Universal groups. I had opened a ticket at the time, and was told that there wasn't really a better way to do it. Best of luck!

All

changing from IWA to AD over LDAP