Tuesday, May 6, 2014

vCenter 5.5 SSO one-way Trusts between Domains/Forests Bug

There is a bug in vCenter 5.5 with AD vs SSO that we found out and that is an hassle to big environments with several domains and have only one-way trust.

I will try to use simple examples so that you can understand more real environments.

You have a global domain xpto.com and several subdomains(let say in different continents and also country subdomains), emea.xpto.com, epac.xpto.com, etc. There is only trust(one-way) across the most of the multiple domains and forests. In this case was a one-way trust from our internal domain(country.xpto.com) to the global domain(xpto.com).

All your users are from global domain. Also permissions to the the vCenter you have Groups from your internal subdomain(country.xpto.com) and add users from global domain(xpto.com) and maybe from other global domains emea.xpto.com, epac.xpto.com.

AD configurations for the vCenter permissions.

AD Group vCenter Admin(admins from you internal domain, but also from the global domain)
AD Group Sales Rep(users from internal, but also from emea.xpto.com, epac.xpto.com).

Those groups have rights to vShere Client, but also vSphere Web Client.

Here is the problem, using Groups from local domain and add global users(or other one-way trust subdomain).

Users from other others domains inside Groups from the internal domain will not be able to connect to vSphere Client(no permissions), will connect to vSphere Web Client, but will not see any vCenter.

Solution/Workaround?? Just use users directly(from any domain) and then they can login and have the proper permissions.
If you add the users directly to the vCenter(Clusters, Pools, Folders, etc.) users can login.

In our case was an big, big problem, we have hundred of users that login to the vCenters from different projects and different parts of the world, and we need to add those, one by one in Clusters, Pools, Folders etc.

This is not a proper way to manage permissions with Groups/Users. But was the only way, or rollback to 5.0.

After we contact VMware support, they recognize the bug(after lot of tests, emails and remote sessions), and promise that the bug will be fixed in the future(maybe vCenter 5.5 update 2).

Check VMware KB regarding AD trusts http://kb.vmware.com/kb/2064250 and check VMware notes: VMware is aware of both of these limitation with vSphere 5.5 and is working towards resolving them.

No comments:

Post a Comment