Using identity source in vCenter with the “Active Directory over LDAP” with Radiant Logic schema is unsupported and leads to directory query failures.
search cancel

Using identity source in vCenter with the “Active Directory over LDAP” with Radiant Logic schema is unsupported and leads to directory query failures.

book

Article ID: 403722

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After integrating a new Active Directory over LDAP identity source backed by Radiant Logic into VMware vCenter, when attempting to access “Users and Groups” in the vSphere Client, users encountered the following error:

"A vCenter Single Sign-On service error occurred"

Users were successfully queried and added under Global Permissions, but login attempts are failing with the following error:

"[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: null." 

In /var/log/vmware/sso/ssoAdminServer.log

YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[216:pool-2-thread-14] [OpId=########-####-####-####-#######][com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] [User {Name: machine-########-####-####-####-#######, Domain: domain.local} with role 'Administrator'] Find nested parent groups for user {Name: username, Domain: domain1.local}
YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[216:pool-2-thread-14] [OpId=########-####-####-####-#######] [com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate is a trusted certificate.
YYYY-MM-DDTHH:MM:SS WARN ssoAdminServer[216:pool-2-thread-14] [OpId=########-####-####-####-#######] [com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider] Failed to retrieve information from RootDSE in AD Over Ldap provider domain1.local
java.security.InvalidParameterException: Null or empty values
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.getStringValue(BaseLdapProvider.java:342) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getAlterUpnSuffixes(LdapWithAdMappingsProvider.java:332) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getRegisteredUpnSuffixes(LdapWithAdMappingsProvider.java:420) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.TenantInformation.matchUpnSuffixes(TenantInformation.java:339) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.TenantInformation.findProviderADAsFallBack(TenantInformation.java:368) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.findNestedParentGroups(IdentityManager.java:5238) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.findNestedParentGroups(IdentityManager.java:10816) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.findNestedParentGroups(CasIdmClient.java:2443) [vmware-identity-idm-client-7.0.0.jar:?]

Environment

vCenter Server 7.x
vCenter Server 8.x

Cause

The error message "Failed to retrieve information from RootDSE in AD Over Ldap provider domain1.local"  indicates that vCenter SSO was unable to read essential directory metadata from the configured identity source.

In this setup, a third-party application, Radiant Logic, is used to expose Active Directory to vCenter. However, Radiant Logic should not be configured as an “Active Directory over LDAP” identity source, as it does not fully replicate the RootDSE and schema structure required by vCenter SSO.

The RootDSE is the top-level entry in an LDAP directory that provides key information about the server, such as supported capabilities and naming contexts. vCenter SSO retrieves this information using a base-level LDAP query with the filter (objectClass=*). If the LDAP service cannot return the expected RootDSE attributes, it typically means that the schema is not compliant with what SSO expects from a true Active Directory environment.

When using the "AD over LDAP" identity source type, vCenter expects a Microsoft AD-compliant schema, including specific RootDSE attributes. Any deviation, such as that introduced by a directory abstraction layer like Radiant Logic, will prevent SSO from performing necessary directory lookups.

Resolution

 

1. The "Active Directory over LDAP" identity source must either be pointed to a native Active Directory Domain Controller and not a third-party directory proxy like Radiant Logic.

2. Alternatively, if using a third-party LDAP service such as Radiant Logic, the identity source should be configured as "OpenLDAP".

 

Additional Information

Powered by Wolken Software