Issues with authentication when running vSphere 5.5 with AD and SSO server on Windows Server 2012

This week I spent a considerable amount of time trying to first of all upgrade a vSphere 5.1 environment to 5.5, and then trying to build a new 5.5 environment up from scratch.

In both cases, the core environment was configured as follows:

 

  • Windows Server 2012 AD
  • Windows Server 2012 vCenter Server 5.5 + SSO
  • Windows Server 2012 with SQL Server 2012 for vCenter database

 

The upgrade process went fairly smoothly as expected. However, every time I tried to login to vCenter as a domain user via the vSphere Web Client, I would receive a message stating “cannot parse group information“. I did not find too much in terms of helpful messages in any logs, and the SSO log file that existed with vCenter 5.1 under the C:\ProgramData\VMware…\… folder does not seem to exist anymore (who knows where this went!)

However, after much struggling, I finally got the authentication working for users. Here is my authentication source configuration:

ad-ldap-source

The critical bit I found needed to actually login to the vSphere web client or the vSphere client (C# windows app) was that the format for usernames needed to be:

username@domainname.lan

 

For example:

vsphere-client-55-login-example

 

Any other format for the username that you would expect to work (like mydomain\username) would just fail, and in the web client you would see the error “cannot parse group information”.

 

This morning I saw that VMware had announced an issue specifically with this kind of configuration (AD on 2012 with SSO on 2012 server), and have posted a workaround. I have not yet tested their official workaround and patch yet, but found that the above worked for me. All my logins needed to be in the above format though – PowerCLI, VMware 3rd party apps, vSphere client etc…

Fun tweets relating to the experience:

Looks like the beta testing of vSphere 5.5 failed to pick up on this scenario then.

Leave a Comment