Fix AD Domain alias for ADFS via script
search cancel

Fix AD Domain alias for ADFS via script

book

Article ID: 329133

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Provide a scripted method to create a script to bulk modify permissions in vpx_access.

  • After changing Identity sources from IWA, ADFS MFA the identity source is used as an alias, and the permissions have to be recreated because the MFA only recognized the FQDN of the AD domain name and not the alias version so all permissions need to be recreated for that domain.

    • After reconfiguring the vCenter to use ADFS, there is a need to modify all permissions from DOMAIN\XXX to FULLDOMAIN\XXX in order for them to work.

Cause

When moving Identity sources the permissions mapping is not updated automatically and that requires manual modification from the ALIAS to the full AD DOMAIN in the VCSA database.

Resolution

Important: Before proceeding, please make sure to take a proper snapshot of the VCSA. If the VCSA is in linked mode (ELM), take offline snapshots of all linked VCSAs.

 

Python script ("fixalias.py")

Note: This script will prompt for the ALIAS and the DOMAIN information needed to Normalize in order to fix the Permissions issue for ADFS/LDAP.

If there are object_x_x_x-level permissions with the wrong/mismatching ALIAS(s) in the vCenter (NOT GLOBAL PERMISSIONS), this script can find and change existing ALIAS(s) in the vpx_access table of the VCDB to match the given ALIAS/DOMAIN Name.

The script will also run pg_dump to create a unique plain format dump of the vpx_access table for extra safety measure; however restoring it back involves dropping or truncating the table.

Instruction steps:

  1. Ensure proper SNAPSHOTS and/or BACKUPS have been taken of the VCSA VM.

  2. Connect to VCSA via SSH as root user.

  3. Upload script to the VCSA (e.g. WinSCP, etc.).

  4. Stop the "vpxd" service before performing any maintenance on the VCDB.

    • service-control --stop vmware-vpxd
  5. Run the following command to confirm what principals (Domain/Alias) currently listed in VCDB table.
    /opt/vmware/vpostgres/current/bin/psql -U postgres VCDB -c "select * from vpx_access;"
  6. Run the script. 
    python fixalias.py
    Note: To proceed with script, "Y" is case sensitive.

  7. Provide the correct ALIAS (or DOMAIN) to convert and the NEW ALIAS to convert to when prompted

    Ex: ALIAS (or DOMAIN)="primary" (or "primary.domain.com" if needing to change from full domain back to an Alias)


    Note: The Domain/Alias are case sensitive when making the change (e.g., "primary" is different than "PRIMARY"). If is listed as lowercase, it will not be found by the script if using uppercase. For example, it will allow for changing from lower case to uppercase of same principle (Domain/Alias). Logging into the vSphere client using with upper or lower case of alias works; the UI does not care what the case of text is in the VCDB table.

  8. Verify all principals were normalized by running the following command again. 
     /opt/vmware/vpostgres/current/bin/psql -U postgres VCDB -c "select * from vpx_access;"
  9. Restart VPXD. 
    service-control --start vmware-vpxd

  10. The new domain permissions should be reflected in the UI.

Additional Information

Impact/Risks:
Medium to high since depending on the environment size there might be hundreds of users who would need to be manually edited and get the permissions recreated manually. The scripts alleviate the need for manually editing these permissions.

Attachments

fixalias.py get_app
Powered by Wolken Software