Unable to list users for the selected domain and/or authenticate from Active Directory users into vSphere SSO domain after adding identity source
book
Article ID: 301133
calendar_today
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Some customer's environment have complex DNS configurations. In some cases, forward and reverse DNS are not controlled by the same DNS infrastructures. In these rare cases, two situations can arise that can have an impact on VCSA 6.0 and above versions to successfully leverage resources from Active Directory for use with Integrated Windows Authentication (IWA) identity source.
1. Forward and reverse DNS lookups do not match. 2. Reverse DNS response is not authoritative.
This article provides solution to allow VCSA to add IWA AD users into SSO domain.
Symptoms:
After adding identity source, you are unable to list users for the selected domain and/or unable to authenticate Active Directory users into vSphere SSO domain.
Resolution
To resolve this issue:
Log in to the Platform Services Controller Appliance as root and activate the bash shell.
Edit the /etc/krb5.conf file.
Add "rdns = false" entry in the libdefaults section.
libdefaults] rdns = false
Note: Please note the indentation here. This is important and must be made.
Restart likewise service or restart the appliance.
Additional Information
Impact/Risks:
At the time of publication of this document, MIT Kerberos has no known documented risks of disabling reverse DNS lookups. Kerberos is, by design, a very secure protocol for authentication and disabling reverse lookup will not compromise security.