vSphere SSO and Active Directory Upgrades – Version 5.1

So you just finished upgrading your active directory from the old 2003 version to 2012; all went smoothly without even a hint of an error message…

Mission accomplished, right?

Nope. Not if you are running vSphere vCenter 5.1 with SSO.  It may work for a while- in fact, it may work for several weeks or even a month — but beware of the demon that is waiting to shut your access down.

Not that this actually happened to me ‘cause I never make mistakes… right?

vCenter SSO uses active directory to allow access to the vCenter server.  In most cases, because of its integration into the installation process, you hit the “next” button to continue without a thought about what is happening on the back end. But you never notice that SSO establishes a connection via AD LDAP to the domain.

So what do you suppose happens to SSO when you move or re-arrange AD?  (Hint: it severs your connection).  To make things worse, after you upgrade AD, log into vCenter and run all the tests in the world, you assume that your upgrade went smoothly.

Until…

One day, you try to log in with the Domain credentials, and you get this:

1

A general system error occurred: Authorize Exception

Geeze, and I thought everything checked out when I – uh, I mean, this other guy — tested his AD migration.

So let’s get to the point: What didn’t get finished up, and how do we fix it if we can’t log in?

There are many VMWare KB articles that led me astray, such as the one that told me to remove the computer from AD, and re-join it – WRONG! https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1015639

Fixing this issue is actually relatively simple. Log into the web client from the vcenter server:

https://localhost:9443/vsphere-client/#

Then, using the admin@system-domain account, (hopefully you recorded the password somewhere) not administrator@vsphere.local, as with later versions like 5.5… select Administration, Sing-On and Discovery, and configuration.  There, you will find the one object that you didn’t migrate with AD: the ldap configuration.

2

Next, check the setting. I bet they point to the old domain controllers, which are now in happy retirement.

So, remove it, and then add a new Identity Source:

3

Set it to a default domain, and then, if required, configure your permissions in vCenter.

Now you can log into vCenter using Domain authentication. Mission accomplished.

I sure feel sorry for that guy who forgot to do this.  It took three weeks before the issue presented itself… harder to figure out what changed, when the change was three weeks ago. So don’t make my – I mean, his – mistake!

Related Posts

Search