Adding an Active Directory User to vCenter Server Single Sign On Fails
search cancel

Adding an Active Directory User to vCenter Server Single Sign On Fails

book

Article ID: 324305

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When attempting to add a domain user to the Administrator group in the vSphere Client under: Administration > Single Sign-On > Users and Groups > Groups,
    The operation fails with the following error:

"Unexpected error encountered while performing your action."

  • The Active Directory user does not appear as a member of the Administrators group.

Environment

VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x

Cause

There are orphaned user SID(s) associated with the Active Directory user, which appear to have resulted from switching the Identity Source from Integrated Windows Authentication (IWA) to LDAP(S) and then back to IWA.

These orphaned users are not visible in the vSphere Client UI, and attempts to remove them using dir-cli group modify command are unsuccessful.

 

Resolution

Note: Ensure there is valid backup/offline snapshot of the VCSA prior to implementing the workaround. Refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice 

  • Login to vcenter server via SSH
  • List the members of the Administrators group using below command:
 /usr/lib/vmware-vmafd/bin/dir-cli group list --name administrators
 
Expected output:
Enter password for [email protected]:
cn=Administrator,cn=Users,dc=vsphere,dc=local
externalObjectId=S-1-5-21-########-##########-#########-xxxx
  • Make a note of the orphaned SID(s) associated with the user that needs to be removed.
              Eg: externalObjectId=S-1-5-21-########-##########-#########-xxxx
 
  • Validate this is the correct orphaned user SID to remove by running the below powershell command:
PS C:\Users\Administrator> Get-ADUser -Filter * | Select-Object -Property SID,Name | Where-Object -Property SID -like "*
-xxxx"

SID                                         Name
---                                         ----
S-1-5-21-########-##########-#########-xxxx ADUser
  • Run the following command to remove the orphaned user SID from the Administrators group:

    Note:Paste the entire contents of ldapmodify to second EOF on the CLI. Make sure to have the correct orphaned user SID. 
ldapmodify -h localhost -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W << EOF
dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
changetype: modify
delete: member
member: externalObjectId=S-1-5-21-########-##########-#########-xxxx
EOF
 
  •  Verify that the orphaned user SID is no longer a member:

 /usr/lib/vmware-vmafd/bin/dir-cli group list --name administrators

  •  Re-add the Active Directory User to the Administrator group using the vSphere Client.

Additional Information

dir-cli group modify command adds a user or group to an existing group.



Powered by Wolken Software