Unable to log in to VMware vRealize Automation (formerly known as VMware vCloud Automation Center) when the UPN domain does not match the Active Directory domain
Article ID: 328102
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
- You are unable to log in to VMware vRealize Automation (formerly known as (formerly known as VMware vCloud Automation Center)
- This issue occurs when the User Principal Name (UPN) domain does not match the Active Directory (AD) domain. For example, the AD domain is corp.mydomain.com and the UPN is [email protected].
- After authenticating, you see a blank page or a page with a single submit button and the URL loops between the identity server and the VMware vRealize Automation server URLs.
- The catalina.out log file on the VMware vRealize Automation Appliance may contain an error similar to:
YYYY-MM-DD 17:34:52,245 [tomcat-http--25] [authentication] ERROR com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleNPE:410 -java.lang.NullPointerException
at com.vmware.vcac.authentication.service.support.LocalCafeMembershipProvider.findMembershipForPrincipals(LocalCafeMembershipProvider.java:92)
- The ssoAdminServer.log file on the SSO appliance may contain entries similar to:
[ YYYY-MM-DD 17:10:04,369 pool-2-thread-1 INFO com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] [User {Name: csp-admin-1fb24657-024c-xxxx-xxxx-0e85ff77eafa, Domain: vsphere.local} with role 'Administrator'] Find user account [email protected]
[ YYYY-MM-DD 17:10:04,371 pool-2-thread-1 DEBUG com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl] Domain/alias desn't exist.
com.vmware.identity.idm.NoSuchIdpException: Unknown domain [myDomain.com].
at com.vmware.identity.idm.server.IdentityManager.findUser(IdentityManager.java:5713)
....
[ YYYY-MM-DD 17:10:04,385 pool-2-thread-4 DEBUG com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl] Domain/alias doesn't exist.
com.vmware.identity.idm.NoSuchIdpException: No such provider in tenant [vsphere.local] for domain [myDomain.com]
- The vmware-sts-idmd.log file on the SSO appliance may contain entries similar to:
YYYY-MM-DD 07:50:13,887 vsphere.local 651397e4-xxxx-xxxx-9b69-aa3f133984fc ERROR] [IdentityManager] Failed to find user [[email protected] ] for tenant [vsphere.local]
[ YYYY-MM-DD 07:50:13,887 vsphere.local 651397e4-xxxx-xxxx-9b69-aa3f133984fc ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.NoSuchIdpException: Unknown domain [myDomain.com].'
com.vmware.identity.idm.NoSuchIdpException: Unknown domain [myDomain.com].
Cause
This issue occurs when the SSO server or the VMware vRealize Automation Identity Appliance is unable to collect information on the AD account as the UPN domain is not associated with the AD domain.
Resolution
To resolve this issue, perform one of these options:
If you are using the VMware vRealize Automation identity appliance for authentication and the current version is 6.0.0, upgrade your environment to 6.0.1. For more information, see Upgrading vCloud Automation Center from 6.0 to 6.0.1 in the VMware vCloud Automation Center 6.0 Documentation and the VMware vCloud Automation Center 6.0.1 Release Notes.
Or
If the UPN domain and the Active Directory domain are part of the same hierarchy (for example, the UPN domain is mydomain.com and the AD domain is corp.mydomain.com), specify a domain alias in the identity store for the UPN domain:
If you are using the VMware vRealize Automation identity appliance for authentication and the current version is 6.0.0, upgrade your environment to 6.0.1. For more information, see Upgrading vCloud Automation Center from 6.0 to 6.0.1 in the VMware vCloud Automation Center 6.0 Documentation and the VMware vCloud Automation Center 6.0.1 Release Notes.
Or
If the UPN domain and the Active Directory domain are part of the same hierarchy (for example, the UPN domain is mydomain.com and the AD domain is corp.mydomain.com), specify a domain alias in the identity store for the UPN domain:
- Log in to VMware vRealize Automation as a user with permission to edit tenants.
- Click the Administration tab and click Tenants.
- Edit the tenant and click the Identity stores tab.
- If the identity store already exists for the domain, record the information and delete it, as the domain alias cannot be altered after the identity store is created.
- Add a new Identity store.
- Select the identity store type Active Directory.
Note: Do not select Native Active Directory as it does not permit the specification of a domain alias.
- Enter the required information and the User search base DN (optional).
- Add the UPN domain to the Domain alias field.
- Click Test Connection.
- When the connection succeeds, click Add to complete the creation of the identity store.
- Under Edit Tenant, click Update to save the changes made to the tenant.
Or
Contact VMware Technical Support to obtain a fix to add the UPN suffixes to the identity store. For more information, see Filing a Support Request in Customer Connect (2006985).
Contact VMware Technical Support to obtain a fix to add the UPN suffixes to the identity store. For more information, see Filing a Support Request in Customer Connect (2006985).
Additional Information
Feedback
Yes
No
Powered by
