Users or groups from Active Directory are not visible in SSO local group in vSphere Client
search cancel

Users or groups from Active Directory are not visible in SSO local group in vSphere Client

book

Article ID: 386217

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In local groups there are often local users/groups and Active Directory users/groups.

But users/groups from Active directory are not visible in vCenter GUI. 

If vCenter is in ELM/LM, it affects all of the vCenter servers.

Checking with Jxplorer, AD users/groups are still listed in vmdir but not in the vSphere Client.

Verified in AD, the user/group still exist with the same name.

When adding new AD accounts to the SSO group, they are shown in vSphere Client.

Environment

VMware vCenter Server 8.x

Cause

When an AD user/group is added to a local vCenter group, vCenter creates a ForeignSecurityPrincipal (FSP) object in SID format, along with a duplicate FSP object in UPN format, for the particular AD user/group and adds both objects as members to the local group in vmdir.

When displaying the local group's members on the UI, the SSO code skips the SID formatted FSPs so that the UI doesn't show the AD user/group twice -- only the UPN formatted group membership gets displayed.

If, for some reason, the UPN formatted FSP object is removed from the local group in vmdir but the SID formatted FSP object still exists as a member of the local group (and its flag is set to 0 to indicate a successful UPN conversion), then the AD user/group won't be displayed on the UI when viewing the local group on the vSphere Client.

Attempting to add the AD user/group again will fail, since the SID formatted FSP group membership for this user/group already exists.

Resolution

Before undertaking any of the options listed below, please take OFFLINE snapshots of both vCenters in ELM/LM and ONLINE snapshot for standalone vCenter just to be safe

  • Option 1:
    • Manually delete the SID formatted FSP (externalObjectId=S-1-5-21-....) from the local group, via JXplorer or ldapdelete command on the CLI, before trying to add the AD user/group again.
    • After that, the AD user/group should be displayed on the vSphere Client.
  • Option 2:
    • Using JXplorer, go through every externalObjectId entry in the ForeignSecurityPrincipals container (DN: cn=ForeignSecurityPrincipals,dc=vsphere,dc=local).
    • For each SID formatted FSP object (i.e. externalObjectId=S-1-5-21-XXX...), if that object's flag is set to 0, update it to -1 and submit the result.
    • Only update it to -1 if it is currently set to 0. This will tell the vCenter SSO code to try and convert the SID formatted FSP to a UPN formatted FSP, which will fix the issue.
    • After the flag is updated, you can either wait 24 hours (the vCenter SSO code will check the flag once every 24 hrs) and the issue will be fixed for all SSO local groups -- or if you want the issue fixed immediately, you can restart the vmware-sts service on the VC and after the service restarts, the issue should be fixed.
    • Note that after the FSP is successfully converted, the object's flag will be set back to 0 --  this indicates a successful conversion and is expected.
    • If the vCenter is in ELM and is linked to another vCenter, please only perform the above steps on one of the vCenters. The changes will replicate to the other VC automatically.
Powered by Wolken Software