Unable to add IDP users to local SSO group, "No principal with specified name exists"
search cancel

Unable to add IDP users to local SSO group, "No principal with specified name exists"

book

Article ID: 394528

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When vCenter linking is configured for a group of vCenter Servers in VCF Operations, adding a user to a local SSO group in vCenter Server fails with the following error, 

"No principal with specified name exists."

Environment

VCF 9.0

Resolution

This issue will be fixed in a future release of VMware Cloud Foundation 9.0.

In order to work around the error,

Workaround 1: Assign permissions to the user by assigning a role using Global Permissions.

Workaround 2: The domain suffix of the affected users will need to be removed. For eg. example.com

Note: Ensure you have a backup of all the linked vCenter servers in the group before proceeding further. For more information, File-Based Backups for SDDC Manager NSX Manager and vCenter

To allow addition of the user to the local SSO group again, follow the below steps,

  1. Copy the attached script, upn-suffix-removal.sh to /tmp/ on the vCenter Server.
  2. The script requires the following inputs:

    Password for the [email protected] account

    The UPN Suffix that needs to be removed from the affected IDP domain. For eg. example.com

  3. Execute the below command to run the script.

       $> ./upn-suffix-removal.sh

    Note: Provide the details requested by the input prompts during script execution.

  4. In the below example, the domain suffix, EXAMPLE.LOCAL is being removed.

    Example output from script where one of the UPN suffix is removed:

    root@vcenter-1 [ ~ ]# ./upn-suffix-removal.sh

Enter password for [email protected]:
Fri Jul  4 05:28:36 AM UTC 2025| Searching for UPN suffixes...
Fri Jul  4 05:28:36 AM UTC 2025| Found UPN suffixes: [EXAMPLE.COM, EXAMPLE.LOCAL]
Enter UPN suffix to be removed for the affected IDP domain (or 'quit' to exit): EXAMPLE.LOCAL
Fri Jul  4 05:28:43 AM UTC 2025| UPN suffix to be removed: EXAMPLE.LOCAL
modifying entry ""cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,CN=Services,dc=vsphere,dc=local""

Fri Jul  4 05:28:43 AM UTC 2025| Successfully removed UPN suffix: EXAMPLE.LOCAL
Fri Jul  4 05:28:43 AM UTC 2025| Script execution is complete.
Fri Jul  4 05:28:43 AM UTC 2025| ===============================================================================

Additional Information

Attachments

upn-suffix-removal.sh get_app
Powered by Wolken Software