Search the VMware Knowledge Base (KB)
View by Article ID

Adding an Active Directory identity source in vCenter Single Sign-On 5.5 fails with the error: The host is required to join to domain [domain.local] but joined to [null] (2058919)

  • 13 Ratings

Symptoms

  • Cannot add a vCenter Single Sign-On (SSO) Active Directory identity source
  • Adding the identity source fails
  • You see the error:

    The "Add identity source" operation failed for the entity with the following error message. 

    The host is required to join to domain [domain.local] but joined to [null] 

  • When setting up a new Active Directory (Integrated Windows Authentication) identity source, you used the User machine account option
  • vCenter Server is not joined to an Active Directory domain
  • The Domain name field on the Add identity source window displays WORKGROUP

Cause

Using a machine account when configuring an Active Directory identity source for vCenter Server requires that the Windows system be joined to the domain. If the system is not joined to the domain, SSO cannot leverage the machine account to create the identity source and perform its function as the secure token service user.

Because vCenter Server Virtual Appliance (VCVA) is Linux-based, it cannot use the User machine account option. If the VCVA is joined to the domain, it can, however, detect the domain to which it belongs.

Resolution

To resolve this issue in VCVA 5.5, use only the Use SPN option.

For more information on setting up an SPN, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).

To resolve this issue in vCenter Server 5.5 installed on Window Server, join your Windows server running vCenter Server to the domain and then add the Active Directory (Integrated Windows Authentication) identity source to SSO:

Note: If vCenter Server and SSO are installed in separate systems per a custom install, join both systems to the domain.
  1. Join your Microsoft Windows server running vCenter Server to the domain. For more information, see the Microsoft TechNet article How to Join Your Computer to a Domain.

    Note: The preceding link was correct as of September 19, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.

  2. Reboot the server for the changes to take affect.
  3. After the system is up and the services are started, add the Active Directory (Integrated Windows Authentication) identity source to SSO.

    To add the Active Directory (Integrated Windows Authentication) identity source to SSO:
    1. Log into the vSphere Web Client as the SSO administrator, administrator@vsphere.local.
    2. Click Administration.
    3. If closed, expand Single Sign-On by clicking on the arrow to the left.
    4. Click Configuration.
    5. Click the Identity Sources tab.
    6. Click the Add Identity Source icon ( ) under the options menu.
    7. Select the Active Directory (Integrated Windows Authentication) option.

      Note: If the Domain name field is not automatically propagated with the proper Windows DNS domain, enter the proper DNS domain.

    8. Select User machine account and click OK.

      After the Active Directory identity source is configured, users from that domain can be added to vCenter Server.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 13 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 13 Ratings
Actions
KB: