In normal implementation, it is always a best practice to provide permission per group, rather than per individual ID. Simple reason is, it is easy to administer and manage. Therefore, it was what I did in one of my vCenter implementation, but I could not make it work. It just did not allow me to login using my Domain ID (which configured as part of Local Administrators members in vCenter server), although local ID (part of Local Administrators members as well) worked as expected.
Issues :
Error while connecting to vCenter Server using VMware vSphere Client. Error is :
Error ConnectingThe vSphere Client could not connect to"vCenter Server Name"You do not have permission to login to the server :"vCenter Server Name"
Troubleshooting
- Assigned appropriate domain ID (MyDomain\DomainAdminID) to a Domain Group (MyDomain\Domain Admins)
- Assigned that Domain Group to Local Administrators in vCenter server
- (Double kill!) Assigned that Domain ID (MyDomain\DomainAdminID) to Local Administrators in vCenter server.
- Configured Local Administrators with Full Admin Role in vCenter Permissions. Note that above Domain ID was not configured here. Local ID (.\ctxadmin) that will be used to test also not be configured here.
- Tried to access vCenter using that domain ID, error prompted
- Tried to access vCenter using local ID, successful
- Session with local ID.
Resolution :
It seems that starting from vSphere 5.5, configuring domain IDs/groups to local groups will cause the issue. Based on VMware KB :
Resolution
This is an expected behavior.
To resolve this issue, give explicit permissions to Users or Groups from their respective Identity Sources. For example:
- Only populate Local OS groups with Local OS users or groups
- Only populate Active Directory groups with Active Directory users or groups
In order to do so :
- Add User ID / group to vCenter. Choose the domain, search the ID / group, and add them accordingly.
- Able to access, no error
- Session active with AD user ID.
Reference
- http://blogs.vmware.com/vsphere/2013/09/vcenter-single-sign-on-5-5-not-recognizing-nested-active-directory-groups.html
- http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2059528
Comments
Post a Comment