VMware: vCenter 5.5 SSO one-way Trusts between Domains/Forests Bug

//VMware: vCenter 5.5 SSO one-way Trusts between Domains/Forests Bug

VMware: vCenter 5.5 SSO one-way Trusts between Domains/Forests Bug

There is a bug in vCenter 5.5 with AD vs SSO that we found out and that is an hassle to big environments with several domains and have only one-way trust.

I will try to use simple examples so that you can understand more real environments.

Example:
You have a global domain xpto.com and several subdomains(let say in different continents and also country subdomains), emea.xpto.com, epac.xpto.com, etc. There is only trust(one-way) across the most of the multiple domains and forests. In this case was a one-way trust from our internal domain(country.xpto.com) to the global domain(xpto.com).

All your users are from global domain. Also permissions to the the vCenter you have Groups from your internal subdomain(country.xpto.com) and add users from global domain(xpto.com) and maybe from other global domains emea.xpto.com, epac.xpto.com.

AD configurations for the vCenter permissions.

AD Group vCenter Admin(admins from you internal domain, but also from the global domain)
AD Group Sales Rep(users from internal, but also from emea.xpto.com, epac.xpto.com).

Those groups have rights to vSphere Client, but also vSphere Web Client.

Here is the problem, using Groups from local domain and add global users(or other one-way trust subdomain).

Users from other others domains inside Groups from the internal domain will not be able to connect to vSphere Client(no permissions), will connect to vSphere Web Client, but will not see any vCenter.

Solution/Workaround?? Just use users directly(from any domain) and then they can login and have the proper permissions.
If you add the users directly to the vCenter(Clusters, Pools, Folders, etc.) users can login.

In our case was an big, big problem, we have hundred of users that login to the vCenters from different projects and different parts of the world, and we need to add those, one by one in Clusters, Pools, Folders etc.

This is not a proper way to manage permissions with Groups/Users. But was the only way, or rollback to 5.0.

After we contact VMware support, they recognize the bug(after lot of tests, emails and remote sessions), and promise that the bug will be fixed in the future(maybe vCenter 5.5 update 2).

Check VMware KB regarding AD trusts KB 2064250 and check VMware notes: VMware is aware of both of these limitation with vSphere 5.5 and is working towards resolving them.

Hope this information can help you.

Note: Share this article, if you think is worth sharing.

By | 2017-12-30T02:50:13+01:00 May 6th, 2014|Virtualization|0 Comments

About the Author:

I am over 20 years’ experience in the IT industry. Working with Virtualization for more than 10 years (mainly VMware). I am an MCP, VCP6.5-DCV, VMware vSAN Specialist, Veeam Vanguard 2018/2019, vExpert vSAN 2018/2019 and vExpert for the last 4 years. Specialties are Virtualization, Storage, and Virtual Backups. I am working for Elits a Swedish consulting company and allocated to a Swedish multinational networking and telecommunications company as a Teach Lead and acting as a Senior ICT Infrastructure Engineer. I am a blogger and owner of the blog ProVirtualzone.com

Leave a Reply

%d bloggers like this: