Adding AD authentication to VMware SSO 5.1

12 September, 2012 By 47 Comments

With the release of VMware vCenter Server 5.1 an important new component has been released: the VMware Single Sign-On (SSO) server. It is one of the components of vCenter Server and is a requirement for installation. Through the SSO server a user now gets authenticated and receives a token that authenticates the user with other vCenter components without having to Sign-On again.

Some users ran into some minor issues when installing SSO. Most common issue is “Error 29115 Cannot authenticate to DB”. An error which I encountered myself was “Error 29155 Identity source discovery error”. According to KB 2034374 this is due to a failed attempt to automatically discover an Active Directory domain. You can click OK on this error and continue installation. Before installing the vCenter Server component it is adviced to manually add Active Directory Authentication to SSO.

Take the following steps:

  • Log in to the vSphere Web Client: https://<ip addres>:9443/vsphere-client using the basic SSO account. For a Windows install of SSO this is the user “admin@System-Domain” and for the vCenter Server Virtual Appliance it is “root@System-Domain”. The password is what you have entered during installation of SSO.
  • Go to the section Administration – Sign-On Discovery. In the middle of the screen you’ll now see the identity sources that are already present.

  • To add Active Directory if this was not already present, click the red plus sign in the middle upper menu bar.
  • In the pop-up window select “Active Directory” and fill out the form.

For my homelab environment the domain name is “vanzanten.local”, the primary and secondary URL are references to both my domain controllers. The Base DN users is the OU where the default users reside, which in my case is the same as the Base DN groups. Domain name is the FQDN and domain alias is the Netbios name of your Active Directory domain. The last section is the user account you will use to query the AD. Since it is just a home lab I use my administrator account for this. Press “Test Connection” to make sure your connection details are valid.

Still under investigation: In my test it seems that entering different values for Group and User Base DN is not working correctly. Either an interface error or a bug, but when using two different values, after saving and then editing again, both values are identical.

After you have a successful connection, click OK and you’ll see your newly created Identity Source. Next add the new identity source to the default domains by clicking “Add to default domains” in the top bar. Now your identity source will show in the lower screen. Set it to the first in the list using the arrows and DON’T forget to press SAVE.

Filed Under: vCenter, Virtual Center, VMware Tagged With: , , , , , , ,

  • Pingback: Welcome to vSphere-land! » vSphere 5.1 Link-O-Rama

  • Erik Bussink

    Hiya Gabie,
    I also ran into loads of 29155 Error Identifying source authority.
    I followed the KB article and I also compared the settings with another working SSO.
    The Base DN it does not need t go down to CN=Users,DC=domain,DC=com just DC=domain,DC=com should work.

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Great addition, thank you!

  • Nizam Mohamed

    Excellent post! Thanks for the info.

  • tom miller

    Have any luck joining a separate vcenter to a multisite SSO config? Trying to for SRM build but failing on login to SSO?

  • Pingback: vSphere 5.1 common issues and solutions | The Virtual Design Blog

  • toto

    “. Before installing the vCenter Server component it is adviced to manually add Active Directory Authentication to SSO.

    Take the following steps:
    Log in to the vSphere Web Client:”

    Can you tell me how you login to vcenter with vsphere web client without installing vcenter ? o_O

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    The name is vSphere Web Client and not vCenter Web Client. You are no longer directly logging into vCenter, but into the SSO Server. The SSO server will authenticate you and offer components you can go to. One of them is the vCenter Server.

  • totot

    Ok so installing the vsphere web client server first, then doing the steps u say in the article, and then installing vcenter server, right ?

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Yes. Do keep in mind that my post is not needed when your vCenter to-be-server is already member of the AD. Then just follow the manual.

  • toto

    Oh, ok, because my future vcenter-server is already in domain but I got the error.
    I ll follow your tutorial and see what authentification sources are already present then.

  • toto

    Ok finally I HAD to add the AD source because it was not present whereas the server was in AD. So I guess anyone who got this error should follow your guide.
    Also using domainusername as username didn’t work for me, but username@domain did.

  • Carlos Chacon

    so If I don’t do this SSO thing my AD users won’t be able to login?

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Without SSO you can’t access vCenter at all.

  • aa

    it worked like a charm.thanks a lot buddy!

  • lisha

    Thank you so much for posting this. I have been struggling with this for a couple of days. This really solved my problem.

  • Pingback: The new vSphere 5.1 Web Client – A walkthrough (part 1) | viktorious.nl – Virtualization & Cloud Computing

  • Sam

    I’ve a separate service account created for vcenter installation & I’m using that account throughout while using the same account for password authentication gives me an error [LDAP: error code 49 - 80090308: LdapErr:
    DSID-0C090334, comment: AcceptSecurity Context error, data 52e, vece] . Per the FAQ on VMware it says the account should have read-only rights to Base DN while I tried providing the read-only rights even to the root on my AD but it still fails.
    When I try to perform test authentication with a Domain Admin rights it does work though I cannot use that for this purpose. Does any one knows what exact rights are required for the username on AD so that test authentication goes successful?

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Actually I though all accounts by default are able to enumerate users from AD by querying the AD. Only limit would be 1000 records per query, but that also goes for the admin account which you said does work. Can you check the security log on the Domain Controller to see why it is blocking the user from performing the query?

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Another thing I just thought of, do you have admin access to the AD to create a new user account with ‘default’ permissions and see if that works? I would suspect that the original account your trying has his permissions blocked on purpose.

  • SteveM

    Hello, great article thanks. My AD is discovered and ‘Test Connection’ returns successfully. But no AD accounts are populating in the ‘Users’ section under SSO users and groups. Strangely though….disabled AD accounts are populating in the ‘Disabled Users’ section. I try changing the base DN to a different OU etc and no change (just get the disabled accounts from that OU populate). Any ideas?

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Hi
    Users are not automatically populated. You have to search for a user or group and then add them. So SSO will not show a copy of the complete AD user list

    Gabrie

  • JimG

    Hi Gabrie,

    I’m having trouble with losing all of my domain permissions on the database upgrade even when adding in the AD manually before the upgrade.

    It tests fine and I see users in the disabled area.

    Any way to keep the current permissions I had set before the upgrade?

    Thanks,
    Jim

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Not sure if I understand what you’re saying. Do you mean permissions you granted to users in vCenter 4 are lost when upgrading to vCenter 5? Never tested that to be honest.

  • Marcel

    Bedankt! Wist even niet meer wat ik moest doen en toe kwam ik je post tegen. Super!

  • Amit Kumar Agarwal

    Thanks a lot man…it really worked..!

  • shaiboo

    Thanks a lot mate.

  • MajaK

    Thank you so much.

  • SPT

    Great Post. Worked for me also when specified username in username@domain format

  • power_engine

    thank you where much.

  • Ondrej Balaz

    Thank you for this great post.

  • Angela Andrews

    You mentioned this:

    “Still under investigation: In my test it seems that entering
    different values for Group and User Base DN is not working correctly.
    Either an interface error or a bug, but when using two different values,
    after saving and then editing again, both values are identical.”

    That is my issue as well. The problem is, the users that need to log into the web client are NOT in the users OU, so they can’t log in. Of course, any user I add to the _admin_ group can log in without issue (as they are in the users OU). Did you ever figure this problem out?

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Hi Angela, Haven’t discovered why this happens. I think you need to make a support call with VMware for this.

  • so turdy

    LERN ENGRISH, U FOKEN FAGHOST!!!!!!

  • http://twitter.com/paquitoh Ju’ Paquito

    Hi,

    First, thanks for your post.

    It have still som equestion on ldap/vmware configuration.

    My problem is, i don’t want to select user by user into permission tab in SSO.

    I had a ldap organisation like “ou=VMWARE,ou=UserGroups,ou=Groups,dc=prd,dc=mut,dc=com

    Into the VMWARE “ou” i’ve got 2 groups “system” and “network”.

    I’ve got another system to populate this groups into the AD and i would like to associate ldap groups (where my user account is) and vmware groups/roles.

    But SSO cannot recognize my user who is in this group so i cannot connect to my vCenter instance.

    Do you have an idea ?

    Thanks ! :)

  • http://www.GabesVirtualWorld.com Gabrie van Zanten

    Send me an e-mail and I’ll help you figure this out for your environment. (Sorry for the late response)

  • félix

    Hola,
    Gracias por tu aportación
    me fue de mucha ayuda

    Saludos

  • Ami

    A very clear explanation and screen shots, bravo and thanks a lot.
    Ami

  • MikeR

    Clear and concise. Awesome instructions!

  • Pingback: VDI Admin » Error 29115 Cannot authenticate to DB

  • Pingback: Список логинов/паролей продуктов VMware | vMind.ru

  • Pingback: Subway Theme » Installing Single Sign On fails with Error 29115

  • erok

    worked like a champ. Thanks!!!!!!!!

  • Nash

    Exactly what I was looking for…thanks for the explanation/screenshots!!

  • nemo

    yesssss!!!! got it!!!!!!!!!!! Exactly I was looking for … special thanks!!!!!!

  • Flesz

    Thanks, worked great

  • Rana

    Thank youuuuuuu great post:)
    Many thanks:)