If permissions at vCenter are given for users, Make sure that both the UPN and sAMAccountName match in Active Directory for the user or users experiencing this issue.
If permissions at vCenter are given for Active Directory groups, refer the below procedure to validate the case of groups.
- Go to Active Directory Users and Computers.
- Click on Users or the folder that contains the user account.
- Right click on the affected user account and click Properties.
- Click Member of tab.
- Locate the Active Directory group which is used while adding permissions in vCenter
- Make a note of the case in the domain portion
For example, it would be something like
VMWARE.COM or
VMWARE.com
- Log in to the vSphere Web Client using an Single Sign On Administrator.
- Under Menu, select Administration > Configuration > Identity Sources
- Select the identity source and click edit
- Review the domain section of Base distinguished name for users and Base distinguished name for groups
For example, it would be something like
dc=VMWARE,dc=COM or
dc=VMWARE,dc=com
- If the case of the domain in Identity source does not match the case of the domain in the group membership, update the identity source with the correct case and save the Identity source configuration.
For example, if the group membership in Active directory is
VMWARE.com then the identity source should have
dc=VMWARE,dc=com for
Base distinguished name for users and
Base distinguished name for groupsWorkaround:
If you cannot set the UPN and sAMAccountName to be the same, then alternatively you could:
- Add the user(s) to an AD Group.
- Give permissions in vCenter to that AD group instead of the single user.
- Ensure the identity source is configured with the correct case for domain
Your user would be able to login correctly.