Troubleshooting Single Sign-On and Active Directory domain authentication with the vCenter Server Appliance (2033742)
After successfully enabling Active Directory domain authentication from the Authentication tab on the Web Console, you cannot log in to vCenter by using an Active Directory domain user.
Verify that Single Sign-On autodiscovered the Active Directory domain
- Log in to the vSphere Web Client as the Single Sign-On administrator.
- From Administration, select Sign-on and Discovery, then click Configuration.
- On the Identity Sources tab, search for your Active Directory domain in the list.
If the Active Directory domain is not present in the list
If the Active Directory domain does not appear in the list, it was probably not autodiscovered by Single Sign-On. Use the following steps to correct the problem.
- Open /var/log/vmware/vpx/sso_cfg.log and verify that you see lines in the log that include the Active Directory domain, DNS Name, NetBIOS name, the primary controller and, if one exists, the secondary controller.
- Note the names of the controllers.
- Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.
For best results, use a central NTP server and automatic synchronization.
- Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service, and that the PTR record information matches the DNS name of the controller.
One way to do this is through the command line on the vCenter Server Appliance.
# dig my-controller.my-ad.com
;; ANSWER SECTION:
my-controller.my-ad.com (...) IN A <controller IP address>
# dig -x <controller IP address>
;; ANSWER SECTION:
<IP-in-reverse>.in-addr.arpa. (...) IN PTR
- If the controller LDAP services are SSL-enabled, verify that the SSL certificate is valid.
- If steps 1 through 5 did not resolve the problem, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain.
- After steps 1 though 6 are complete, restart Single Sign-On.
If this procedure does not correct the problem, use the user name and password to add the domain manually from the Identity Sources tab in the vSphereWeb Client. You can add the domain, but this will not allow you to use Windows session authentication from the vSphere Web Client.
If the domain is present in the Identity sources list, you have two log in options.
- Use the qualified name. For example, log in with user@domain or DOMAIN\user.
- If your organization requires you to authenticate with an unqualified name, add the domain to the list of default domains.
Active Directory users might have a custom suffix in their UPN instead of using the domain name as the suffix. For example, the user name firstname.lastname@example.org can be customized to be email@example.com. Active Directory users with these custom suffixes cannot log into the vSphere Web Client using Windows session credentials when vCenter Single Sign On is installed on a Windows system.