Active Directory Authentication Sources in vRealize Operations
Article ID: 342368
Updated On: 10-12-2021
Products
VMware Aria Suite
Issue/Introduction
In previous versions of vRealize Operations it's been possible to login by providing only the username without the domain suffix when the userPrincipalName option has been selected in the Active Directory authentication source.
This caused massive reads per login from the database when there were large numbers of imported AD users, since the whole user list would be retrieved from the database and iteration was done over the complete list to find the required user.
Starting in vRealize Operations 7.5, a single query per login is performed using the full format, username@domain.com, which positively affects performance.
The limitation coming with this change means that the login will only be successful if the username's domain suffix matches the domain name specified in the Base DN option. Otherwise, the full username with domain suffix is required during login.
This caused massive reads per login from the database when there were large numbers of imported AD users, since the whole user list would be retrieved from the database and iteration was done over the complete list to find the required user.
Starting in vRealize Operations 7.5, a single query per login is performed using the full format, username@domain.com, which positively affects performance.
The limitation coming with this change means that the login will only be successful if the username's domain suffix matches the domain name specified in the Base DN option. Otherwise, the full username with domain suffix is required during login.
Environment
VMware vRealize Operations 8.x
VMware vRealize Operations Manager 7.5.x
VMware vRealize Operations Manager 7.5.x
Resolution
This is expected behavior in vRealize Operations 7.5 and later when authenticating with Active Directory sources when the Common Name option is configured to use userPrincipalName.
When authenticating, use the format username@domain.com.
Alternatively, to authenticate using short name (username only), configure the Active Directory Authentication Source to use samAccountName for the Common Name option.
- Log into the vRealize Operations UI with the local admin user.
- Navigate to Administration > Access > Authentication Sources.
- Select the Active Directory source and click Edit.
- Expand Details, and set Common Name to samAccountName.
- Click OK.
Note: This will import a new user ID into the database. Custom content (dashboards, reports, alerts, etc) owned by the previous user account will not be visible on the new user account. Once the old user account is deleted from vRealize Operations, the custom content can be recovered under Administration > Management > Orphaned Content and assigned to the new user.
Feedback
Was this article helpful?
Yes
No
Powered by
