Assigning permissions to any Active Directory user with administrator credentials on vCenter Server fails
search cancel

Assigning permissions to any Active Directory user with administrator credentials on vCenter Server fails

book

Article ID: 314183

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Adding permissions to the Active directory user with administrator credentials at the datacenter or cluster level in the vCenter server fails
  • You see the error:

    A general system error occurred error accessing directory authorize exception
     
  • The vpxd logs contain the entries:

    info 'Libs'] [ADS] Failed to lookup account Domain\username (err: 1789, [16, 256])
    error 'Default'] [ACL] Adding unresolved permission for user "Domain\username"
    info 'Libs'] [ADS] Failed to lookup account Domain\username (err: 1789, [16, 256])
    warning 'Default'] Warning, existence of user "Domain\username" unknown, permission may not be effective until it is resolved.
    error 'Default'] The user account "Domain\username" could not be successfully resolved. Check network connectivity to domain controllers and domain membership. Users may not be able to log in until connectivity is restored.

     
  • Trying with different user accounts fails with the same error
  • Removing and re-adding the vCenter Server machine to the active directory domain does not resolve this issue
  • Telnet to ports 389 and 636 from the vCenter Server machine work successfully
  • Creating a new Active directory user fails with the same error while adding it to the vCenter Server
  • There are no issues relating to permissions at the Active Directory level


Environment

VMware vCenter Server 5.0.x
VMware vCenter Server 4.1.x
VMware vCenter Server 4.0.x
VMware vCenter Server 5.1.x

Cause

The issue occurs due to network connectivity issues to domain controllers or due to replication inconsistency between the domain controllers.

Resolution

To troubleshoot this issue:
  • Check if vCenter Server has a trusted account associated to it in the Domain controller.
  • Check the system logs of the domain controllers to find issues/errors related to network connectivity or replication (File Replication Service).

    If you identify issues with FRS replication, perform a non-authoritative restore on one of the member FRS replica sets that has issues. For more information, see the Microsoft knowledge base article 290762.
    Note: The preceding link was correct as of January 24, 2012. If you find the link is broken, provide feedback and a VMware employee will update the link.
Caution: Perform troubleshooting tasks related to Active Directory Domain controller only with the assistance of Microsoft or your Windows Administrator.

Resolving issues related to Domain controllers lets you add Active Directory users and assign permissions on vCenter Server.

To work around for this issue:
  1. Create a group on the vCenter Server.
  2. Add the required users to this group.
  3. Go to the Permissions tab.
  4. Right click in the white space.
  5. Select Add Permissions.
  6. Click Add under Users and Groups.
  7. Select (server) and click the group name created on the vCenter Server.