After upgrading to VMware vCenter Server 5.5.0b or later, users from a child domain are no longer able to log in
book
Article ID: 342347
calendar_today
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
After upgrading from VMware vCenter Server 5.5.0x to 5.5.0b or later, users from a child domain are no longer able to log in.
Users may be able to log in by specifying the credentials in the child.domain\username format when logging in.
If vCenter Server is a member of a child domain, adding the domain using Integrated Windows Authentication (IWA) causes the display of the domain name within the vSphere Client or vSphere Web Client to change from child.domain.com to domain.com.
Environment
VMware vCenter Server 6.5.x VMware vCenter Server 6.7.x VMware vCenter Server 6.0.x VMware vCenter Server 7.0.x
Cause
This is an expected behavior when upgrading to vSphere 5.5.0b or later versions as a result of changes in the identity source management and the default domain handling in vCenter Single Sign-On.
Resolution
To change the behavior of the identity source, the default domain can be changed on the Single Sign-On (SSO) server from the domain that was created during the upgrade.
Windows-based Single Sign-On (SSO)
Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with "-" .
As an Administrator, click Start > Run, type cmd and then click OK.
Run C:\>ldifde command to confirm that the ldifde tool is available. This list returns a list of available commands.
If the tool is not present, install it by running this command:
Note: If the Identity Source is later reconfigured in the vSphere Web Client under Single Sign-On > Configuration, you must repeat the steps in this resolution.