After upgrading to VMware vCenter Server 5.5.0b or later, users from a child domain are no longer able to log in
search cancel

After upgrading to VMware vCenter Server 5.5.0b or later, users from a child domain are no longer able to log in

book

Article ID: 342347

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • After upgrading from VMware vCenter Server 5.5.0x to 5.5.0b or later, users from a child domain are no longer able to log in.
  • Users may be able to log in by specifying the credentials in the child.domain\username format when logging in.
  • If vCenter Server is a member of a child domain, adding the domain using Integrated Windows Authentication (IWA) causes the display of the domain name within the vSphere Client or vSphere Web Client to change from child.domain.com to domain.com.


Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server 7.0.x

Cause

This is an expected behavior when upgrading to vSphere 5.5.0b or later versions as a result of changes in the identity source management and the default domain handling in vCenter Single Sign-On.

Resolution

To change the behavior of the identity source, the default domain can be changed on the Single Sign-On (SSO) server from the domain that was created during the upgrade.

Windows-based Single Sign-On (SSO)
 
 
Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with "-" .
 
  • As an Administrator, click Start > Run, type cmd and then click OK.
  • Run C:\>ldifde command to confirm that the ldifde tool is available. This list returns a list of available commands.
  • If the tool is not present, install it by running this command:

    C:\>ServerManagerCmd -i RSAT-ADDS-Tools

    For Windows 2012 run this powershell command:

    Install-WindowsFeature RSAT-ADDS
     
  • Run this command to update the default domain:

    C:\>ldifde -i -f filepath\defaultdomain.ldif -s localhost -t 11711 -a "cn=Administrator,cn=Users,dc=vsphere,dc=local" *

     
  • When prompted, enter the [email protected] Single Sign-On (SSO) password.
  • The command should complete successfully.

vCenter Server Appliance-based Single Sign-On (SSO)
 
  1. Connect to the machine that is running the SSO instance.
  2. Create the defaultdomain.ldif file containing this information using a plain text editor:
     
    dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
    changetype: modify
    replace: vmwSTSDefaultIdentityProvider
    vmwSTSDefaultIdentityProvider: example.com
    -
     
    Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with "-" .
     
  3. Open a console to the vCenter Server Appliance.
  4. Run this command to update the default domain:

    /opt/likewise/bin/ldapmodify -f filepath/defaultdomain.ldif -h localhost -p 11711 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W

     
  5. Enter the [email protected] SSO password.
  6. The command should complete successfully.
     
Note: If the Identity Source is later reconfigured in the vSphere Web Client under Single Sign-On > Configuration, you must repeat the steps in this resolution.


Powered by Wolken Software