Hi,
i've just installed VCA 5.5, added to AD DS domain with appliance menu. Then after logging to Web Client i tried to add Identity Source with my domain (AD Integrated Windows Authentication). Using machine account or later with SPN.
After adding domain I've switched to Users and Groups and then tried to add AD group to Administrators. But when doing it in Add Principals (switched to AD DS domain) i get empty list and error: "Cannot load users for the selected domain.".
I've even tcpdump communication betwen vCenter and AD DS domain controler and what i can see is:
0050: 3030 3034 4443 3a20 4c64 6170 4572 723a 0004DC: LdapErr:
0060: 2044 5349 442d 3043 3039 3036 4444 2c20 DSID-0C0906DD,
0070: 636f 6d6d 656e 743a 2049 6e20 6f72 6465 comment: In orde
0080: 7220 746f 2070 6572 666f 726d 2074 6869 r to perform thi
0090: 7320 6f70 6572 6174 696f 6e20 6120 7375 s operation a su
00a0: 6363 6573 7366 756c 2062 696e 6420 6d75 ccessful bind mu
00b0: 7374 2062 6520 636f 6d70 6c65 7465 6420 st be completed
00c0: 6f6e 2074 6865 2063 6f6e 6e65 6374 696f on the connectio
00d0: 6e2e 2c20 6461 7461 2030 2c20 7631 3737 n., data 0, v177
00e0: 3200 2.
What's wrong? How can i set it up?
Regards,
p.
Its says successful bind must be performed. Did you specify the Base DN and other things properly?
No, I can't. How can I do this in Active Directory (integrated Windows Authentication)?
Document which I used to configure it: http://www.vladan.fr/vcsa-5-5-installation-configuration-part-2/
Of course, I know that I can set AD DS with the second option (LDAP), but I want to have done it like on the link.
Regards,
p.
Hi,
Please follow the steps below to properly configure vcva with AD and add the AD as an Active Directory using Windows Authentication using the machine account:
Requirements:
A. Configure Networking, Please refer to "First start of virtual Applicance" section in https://www.vmware.com/support/developer/studio/studio26/va_user.pdf
B. Use likewise binary to try looking up SRV records.
/opt/likewise/bin/lw-get-dc-name <your_domain_name>
Process:
1. Fresh deployment of VCVA.
2. Open VAMI at port 5480.
3. Configure Likewise under vCenter Server -> Authentication. Bind the VCVA machine to the domain using Administrator credentials. UI says you need a restart to take effect, but it doesn't actually.
4. Login to VCVA WebClient port 9443 as administrator@vsphere.local / vmware
5. Go to Administration -> Configuration
6. Add identity source.
7. Pick Use Machine Account.
8. Domain from step 3 should be automatically selected.
9. Select Active Directory (integrated Windows Authentication).
10. Open Users and Groups
11. Select domain from dropdown
12. See list of users.
I will try to update if there is a an official kb document available.
Thanks
Srinu
That's exactly what I've done. Step by step and still the same problem.
vcenter2:~ # /opt/likewise/bin/lw-get-dc-name my.domain.com
Printing LWNET_DC_INFO fields:
===============================
dwDomainControllerAddressType = 23
dwFlags = 12796
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = DC2.my.domain.com
pszDomainControllerAddress = 10.123.5.21
pucDomainGUID(hex) = 34 DC 27 8B 03 FA B4 4B A0 89 AE 84 29 29 4E A3
pszNetBIOSDomainName = BM
pszFullyQualifiedDomainName = my.domain.com
pszDnsForestName = my.domain.com
pszDCSiteName = Default-First-Site-Name
pszClientSiteName = Default-First-Site-Name
pszNetBIOSHostName = DC2
pszUserName = <EMPTY>
Hello, Try to disjoin from domain(remove Active Directory Roles), then join again and then try to dot it again. Hope will help.
Your Oscar
Hope DNS resolution is proper in Appliance for DC machine and vice versa. Also noticed that "pszUserName = <EMPTY>". Shouldn't it be Domain User/Administrator account ?name?
Just wanted to say Im having the exact same problem. You are not configuring it wrong, something is not working right. Adding our domain as "AD as LDAP" gives me a different set of errors. So far Im not impressed with the new and improved SSO 5.5. I've had an SR open for about a week now, I'll update this if they find out what is going on.
I am not using vCenter 5.5 appliance, but I have fresh installed of vCenter 5.5 and I am also having issues login with my AD credential? I can only logged in to vcenter server using web client administrator@vsphere.local account, so I tried to add mydomain.local to the web client console as default Identity source, and able to add my groups/users to vCenter permission tab, but I still not able to connect using any accounts I added on vcenter permission.
Anyone know if SSO 5.5 has a bug on authentication AD or something that needs to be done? I this point I can only manage it using default account administrator@vsphere.local apparently this is in a lab before migrate to production so this is expected for POC/RD/TEST lab.
Thanks in advance.
I still not able to resolved with fresh installed of vcenter 5.5, but I've tried loaded vcenter 5.5 appliance, and did the same procedure, added mydomain.local to identity source and set as default and added my mydomain\username and I was able to login with AD credential but still not fresh installed vcenter 5.5 server.
Do we know if this is a known bug or something what makes it not able to authenticate? Anyone experience the same issue or no...if not, can u tell me u're doing just fine without any issue with fresh installed?
I'm currently aware of two issue related to AD authentication. For both of them, VMware provides a workaround/solution in the KB.
http://kb.vmware.com/kb/2060873
http://kb.vmware.com/kb/2060901
André
Thanks A.P.
The KB article on Windows 2012 SSO 5.5 indeed is the problem, and followed the instruction to replace the new IDM.dll file provided in the article proved to fixed the problem. But you will need to restart the vCenter 5.5 server in order for this to work, because in the kb doesn't work I have to reboot it and able to login.
Perhaps it could take times for AD/replication whatever the need is longer, but if doesn't work just reboot your vcenter and it should be fix.
Thanks again.
Please try to follow the KB article below and create PTR record for your domain controller:
Did you manage to remove and re-join to the domain?
What was the outcome?
I had the same problem - PTR record was the issue for me (see troubleshooting KB).
Hello All,
I had the same issue when I created my lab environment. Peter_dyer123 is absolutely right and what the KB does not mention is that an Active Directory DNS out of the box does not create a reverse lookup zone. It is not needed to run AD but some applications (like VCSA) need it. No reverse lookup means no PTR record. Do not create a PTR in the forward lookup DNS zone, that is bad form.
Create a reverse lookup using this link:
once you have done that you'll need to specify your NetworkID (during zone creation). For basic installs, this is the same subnet that your AD\DNS is in. (NOT subnet mask)
Once completed you may need to manually add the PTR record of your Active Directory server into the reverse lookup zone. In theory you shouldn't BUT I needed to do this to get it working.
Let me know if helps others.
-Ryan
I was having the same issue.
After checking the DNS entries, i found there was no PTR record pointing to the AD server in the Reverse Lookup Zone.
I manually added a entry in in the Reverse Lookup Zone, pointing to AD Hostname and this error "cannot load users from selected domain" in sso was gone and i was able to see the users.
Hope this helps.
Abby
Hi All,
I'm also having this issue, I'm getting intermittent errors of the server taking too long to respond and not having permissions. It all worked fine for about 6 hours and has broken again...
I did work for me on vCSA 5.5.0a and the upgrade to 5.5.0b broke it.
DNS PTR is set up, lw-get-dc-name looks ok, but sso log shows strange errors:
vmware-sts-idmd.log:
2014-01-20 09:21:21,947 WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 1 2014-01-20 09:21:21,947 ERROR [LinuxLdapClientLibrary] Exception when calling ldap_one_paged_search: base=DC=tpip,DC=org, scope=2, filter=(objectClass=user), attrs=[Ljava.lang.String;@413249b, attrsonly=0, sizelimit=0 com.vmware.identity.interop.ldap.OperationsErrorLdapException: Operations error LDAP error [code: 1] at com.vmware.identity.interop.ldap.LdapErrorChecker$1.RaiseLdapError(LdapErrorChecker.java:32) at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826) at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.CheckError(LinuxLdapClientLibrary.java:781) at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.ldap_one_paged_search(LinuxLdapClientLibrary.java:565) at com.vmware.identity.interop.ldap.LdapConnection$5.call(LdapConnection.java:635) at com.vmware.identity.interop.ldap.LdapConnection$5.call(LdapConnection.java:632) ...
AD is Windows 2012 R2
I had this problem to. Clean deployment of vCenter 5.5b. It wasn't the PTR record issue. It was a clean up of AD issue. I've had a number of vcnj.corp.com instances over time, and I had bum computer objects in AD - referring to VCNJ that was from a previous life.
Resolution. I blew away the old computer objects - removed the vCSA authentication - and then re-added to it a domain. Success...
Regards
Mike