Skip to main content

Unable to Access VMware vSphere Client Using Domain ID

In normal implementation, it is always a best practice to provide permission per group, rather than per individual ID. Simple reason is, it is easy to administer and manage. Therefore, it was what I did in one of my vCenter implementation, but I could not make it work. It just did not allow me to login using my Domain ID (which configured as part of Local Administrators members in vCenter server), although local ID (part of Local Administrators members as well) worked as expected.

Issues :
Error while connecting to vCenter Server using VMware vSphere Client. Error is :

Error Connecting
The vSphere Client could not connect to 
"vCenter Server Name"
You do not have permission to login to the server :
"vCenter Server Name"
 






Troubleshooting 
  1.  Assigned appropriate domain ID (MyDomain\DomainAdminID) to a Domain Group (MyDomain\Domain Admins)
  2.  Assigned that Domain Group to Local Administrators in vCenter server
  3. (Double kill!) Assigned that Domain ID (MyDomain\DomainAdminID) to Local Administrators in vCenter server.

  4. Configured Local Administrators with Full Admin Role in vCenter Permissions. Note that above Domain ID was not configured here. Local ID (.\ctxadmin) that will be used to test also not be configured here.

  5. Tried to access vCenter using that domain ID, error prompted



  6. Tried to access vCenter using local ID, successful


     
  7.  Session with local ID.


Resolution :
It seems that starting from vSphere 5.5, configuring domain IDs/groups to local groups will cause the issue. Based on VMware KB  : 

Resolution
 This is an expected behavior.
To resolve this issue, give explicit permissions to Users or Groups from their respective Identity Sources. For example:
  • Only populate Local OS groups with Local OS users or groups
  • Only populate Active Directory groups with Active Directory users or groups

In order to do so :
  1.  Add User ID / group to vCenter. Choose the domain, search the ID / group, and add them accordingly.


  2.  Able to access, no error


  3.  Session active with AD user ID.


Reference 

  • http://blogs.vmware.com/vsphere/2013/09/vcenter-single-sign-on-5-5-not-recognizing-nested-active-directory-groups.html
  • http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2059528

Comments

Popular posts from this blog

How To Change NetBIOS Name of A Computer

So yes... After 4 months without new contents, so I started with this. It looks easier to do (well, it is), but before you do that, you may want to read this  to understand the difference between hostname and netBIOS, then starts to explore on when to use them, their limitations etc etc. I won't discuss here (or maybe not today). So let's back to the topic.   Description : Changing NetBIOS Name of A Computer. ComputerName : NetBIOS : How To Do :  Go to Start > Run , and type REGEDIT  Browse to Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > ComputerName > ComputerName At the right side, double click at ComputerName string, and put correct Value data . Press OK .  Then you will get this Reboot your computer / VM. Once it is up, double check your netBIOS name. New name shall be reflected

Session Settings Not Listed in Citrix Web Interface web site.

In previous post , I mentioned on what need to be done by users in case the publsihed applications did not successfully launched in seamless mode. However, in some cases, users might not be able to see the option. This post will help to solve it. Issues : Session Settings preference is not listed in Citrix Web Interface web site. This is due to the option is not enabled. It can be checked at Citrix Web Interface Management Console. Troubleshooting   Launch Citrix Web Interface Management Console . Browse to Citrix Web Interface > XenApp Web Sites . You will see lists of created Sites.  Right click at the required farm URL.  Choose S e ssion Preference  This window will appeared. Browse to Remote Connnection > Display . You will see the option " Allow users to customize window size " is unchecked . Resolution : Check the option " Allow users to customize window size ", and press OK  Get users to refresh the Web

Microsoft Assessment and Planning (MAP) Toolkit - Extract Report (3/4)

As mentioned in  the first post , this KB series is about Microsoft Assessment and Planning (MAP) Toolkit. There are 4 main steps : Install MAP Toolkit and its basic configuration Collect inventory Data  Extract Report Extract Advanced Report Once inventory data collected, we can generate reports. From the inventory data collected earlier, we can use options in the toolkit to generate the report. For this example, we re going to discover Windows 10 Readiness This KB is about  how to generate report from collected inventory data. At Overview page, select the targeted scenario category. In this example, it is Desktop . At this page, select specific scenario that we after. In this example, it is Windows 10 Readiness.     It is possible to customize assessment properties. The properties will set the threshold of the assessment, such as, threshold for minimum CPU speed, acceptable free disk, as well as minimum assigned RAM. To do so, select Customize assessment pr