Unable to query users/groups after configuring ADFS
search cancel

Unable to query users/groups after configuring ADFS

book

Article ID: 399842

calendar_today

Updated On: 06-03-2025

Products

VMware vCenter Server

Issue/Introduction

In the Users and Groups panel, enter user and group information for the Active Directory over LDAP connection to search for users and groups.
Option    Description

Base distinguished name for users    Base Distinguished Name for users.
Base distinguished name for groups    The base Distinguished Name for groups.

  • Configure group membership in vCenter Server for AD FS Authorization.
    • From the Home menu, select Administration.
    • Under Single Sign On, click Users and Groups.
    • Click the Groups tab.
    • Click the Administrators group and click Add Members.
    • Select the domain from the drop-down menu.
      In the text box below the drop-down menu, enter the first few characters of AD FS group that you want to add then wait for the drop-down selection to appear.
      It might take several seconds for the selection to appear as vCenter Server establishes the connection to and searches Active Directory.
    • The drop-down selection never appears

vCenter logs an error in /var/log/vmware/sso/ssoAdminServer.log,

2025-05-25T11:23.30.125Z ERROR ssoAdminServer[109:pool-2-thread-4] [OpId=######] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl]
Invalid principal: CN=SOMECN,DC=MYDOMAIN,DC=MYCOM
com.vmware.identity.admin.server.ims.PrincipalManagementException: Invalid principal:CN=SOMECN,DC=MYDOMAIN,DC=MYCOM
        at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.logAndThrow(PrincipalManagementImpl.java:2731) ~[libsso-adminserver.jar:?]
        at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.findPersonUsers(PrincipalManagementImpl.java:341) ~[libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl$8.call(PrincipalDiscoveryServiceImpl.java:311) ~[libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl$8.call(PrincipalDiscoveryServiceImpl.java:296) ~[libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:186) [libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl.findPersonUsers(PrincipalDiscoveryServiceImpl.java:296) [libsso-adminserver.jar:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_412]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_412]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_412]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_412]
        at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:86) [vlsi-server-8.0.3.0-14373555-alpha.jar:?]
        at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server-8.0.3.0-14373555-alpha.jar:?]
        at com.vmware.vim.vmomi.core.tracing.NoopTracer$NoopSpan.runWithinSpanContext(NoopTracer.java:120) [vlsi-core-8.0.3.0-14373555-alpha.jar:?]
        at com.vmware.vim.vmomi.server.common.impl.TracingRunnableWrapper.run(TracingRunnableWrapper.java:62) [vlsi-server-8.0.3.0-14373555-alpha.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_412]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_412]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_412]
Caused by: com.vmware.vim.sso.admin.exception.InvalidPrincipalException: The specified principal (CN=SOMECN,DC=MYDOMAIN,DC=MYCOM) is invalid.

Environment

vCenter 7.x

vCenter 8.x

Cause

There is a mismatch on the User and Group DN (Distinguished Names provided). A CN was used for an OU.


Resolution

For CNs use,

CN=SOMECN,DC=MYDOMAIN,DC=MYCOM

For OUs use, 

OU=SOMECN,DC=MYDOMAIN,DC=MYCOM

Note, Check with your Active Directory Administrator to determine the Type of the DN.

Additional Information

"vCenter Server derives the AD domain to use for authorization and permissions from the Base Distinguished Name for users. You can add permissions on vSphere objects only for users and groups from this AD domain. Users or groups from AD child domains or other domains in the AD forest are not supported by vCenter Server Identity Provider Federation."

Ldap queries fail when using the wrong DN (distinguished name) to search from. i.e. CN= vs OU=

The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.

CN    commonName
OU    organizationalUnitName