Issues with authentication when running vSphere 5.5 with AD and SSO server on Windows Server 2012
This week I spent a considerable amount of time trying to first of all upgrade a vSphere 5.1 environment to 5.5, and then trying to build a new 5.5 environment up from scratch.
In both cases, the core environment was configured as follows:
- Windows Server 2012 AD
- Windows Server 2012 vCenter Server 5.5 + SSO
- Windows Server 2012 with SQL Server 2012 for vCenter database
The upgrade process went fairly smoothly as expected. However, every time I tried to login to vCenter as a domain user via the vSphere Web Client, I would receive a message stating “cannot parse group information“. I did not find too much in terms of helpful messages in any logs, and the SSO log file that existed with vCenter 5.1 under the C:\ProgramData\VMware…\… folder does not seem to exist anymore (who knows where this went!)
However, after much struggling, I finally got the authentication working for users. Here is my authentication source configuration:
The critical bit I found needed to actually login to the vSphere web client or the vSphere client (C# windows app) was that the format for usernames needed to be:
Any other format for the username that you would expect to work (like mydomain\username) would just fail, and in the web client you would see the error “cannot parse group information”.
This morning I saw that VMware had announced an issue specifically with this kind of configuration (AD on 2012 with SSO on 2012 server), and have posted a workaround. I have not yet tested their official workaround and patch yet, but found that the above worked for me. All my logins needed to be in the above format though – PowerCLI, VMware 3rd party apps, vSphere client etc…
Fun tweets relating to the experience:
Updating one of the work lab environments to vSphere 5.5 GA 🙂
— Sean Duffy (@shogan85) September 23, 2013
SSO with vCenter Server 5.5. Not fun. Glad I seem to have fixed this issue now though. So much for it being "vastly improved for the better"
— Sean Duffy (@shogan85) September 24, 2013
Looks like the beta testing of vSphere 5.5 failed to pick up on this scenario then.