Error: "Null or empty values" when vCenter AD-over-LDAP queries ADLDS accounts
search cancel

Error: "Null or empty values" when vCenter AD-over-LDAP queries ADLDS accounts

book

Article ID: 411071

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When you configure an AD-over-LDAP identity source in vCenter Server pointing to an ADLDS instance, authentication completely fails. No users appear in the Users and Groups interface. The domain dropdown shows your configured domain, but selecting it returns no users.

The vCenter Server's /var/log/vmware/sso/ssoAdminServer.log file shows these errors:

YYYY-MM-DDTHH:MM:SS.SSSZ INFO ssoAdminServer[100:pool-2-thread-6] [OpId=<hex-value>-###-auto-<hex>-<hex>:########] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Find at most 200 person users by criteria searchString=, domain=<your-domain>

YYYY-MM-DDTHH:MM:SS.SSSZ ERROR ssoAdminServer[100:pool-2-thread-6] [OpId=<hex-value>-###-auto-<hex>-<hex>:########] [com.vmware.identity.idm.server.IdentityManager] Failed to find person users [Criteria : searchString=, domain=<your-domain>] in tenant [vsphere.local]

YYYY-MM-DDTHH:MM:SS.SSSZ ERROR ssoAdminServer[100:pool-2-thread-6] [OpId=<hex-value>-###-auto-<hex>-<hex>:########] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.security.InvalidParameterException: Null or empty values'
java.security.InvalidParameterException: Null or empty values

Search operations yield no results, even for known usernames. This occurs when your ADLDS directory contains user accounts created directly in ADLDS rather than synchronized from Active Directory. These accounts lack sAMAccountName attributes. This prevents all Active Directory authentication and blocks user access to vCenter.

Additional symptoms reported:

  • "Authentication with AD or LDAP keeps failing"
  • "Not even 1 user is displayed on UI"
  • "Neither searching for any user works"

Environment

• vCenter Server 7.x and newer with AD-over-LDAP identity source configured against ADLDS or non-AD LDAP systems
• Environments using ADLDS (Active Directory Lightweight Directory Services) with mixed account sources (AD-synchronized and locally-created accounts)
• Load-balanced LDAP configurations (ldap://[domain]:389 or ldaps://[domain]:636)

Cause

An LDAP directory (like ADLDS) stores user accounts. When selecting "Active Directory over LDAP" in vCenter, vCenter expects a real Active Directory system. Active Directory automatically adds a special field called 'sAMAccountName' to every user account. This field contains the Windows login name.

ADLDS and other LDAP systems don't require this field. Accounts in an LDAP directory may lack sAMAccountName if they were:

  • Created directly in ADLDS (never synchronized from AD)
  • Part of a pure LDAP environment with no AD integration
  • Service accounts created for applications

When using AD over LDAP, when vCenter reads the user list, it expects every account to have sAMAccountName. vCenter encounters the first account without this field and stops with an error.

If the ADLDS database has some accounts ported from AD, it may succeed on those accounts, then fail on the first account that was created in ADLDS. This issue thus happens regardless of whether it's the 1st, 200th, or 1000th account without the sAMAccountName field in that directory.

Resolution

Choose one of the following solutions based on your environment:

Option 1: Configure AD-over-LDAP with Active Directory Global Catalog

Use this solution if you have an Active Directory infrastructure available alongside your ADLDS system.

  1. Log in to the vSphere Client UI at `https://<vCenter_FQDN>`

  2. Navigate to Administration > Single Sign-On > Configuration > Identity Sources

  3. Click Add Identity Source

  4. Select Active Directory over LDAP as the identity source type

  5. Enter the following server URL: `ldaps://<your_AD_domain>:3269`

    Note: Port 3269 is the Global Catalog secure port.

  6. Configure the Base DN for users and groups according to your Active Directory structure.

  7. Enter your service account credentials.

  8. Critical: Set the Identity Source name to match your previous identity source name exactly to preserve all permissions.

  9. Click Add to save the configuration.

  10. Test authentication by logging in with an Active Directory user account.

Option 2: Configure Standard LDAPS Identity Source

Use this solution if you only have ADLDS or other LDAP systems without Active Directory.

1. Log in to the vSphere Client UI at `https://<vCenter_FQDN>`

2. Navigate to Administration > Single Sign-On > Configuration > Identity Sources

3. Click Add Identity Source

4. Select OpenLDAP as the identity source type (not Active Directory over LDAP).

5. Enter the following server URL: `ldaps://<your_LDAP_server>:636`

6. Configure these LDAP-specific settings:

  1. Base DN for users
  2. Base DN for groups
  3. Primary group search attribute
  4. User search attributes

7. Enter your service account credentials.

8. Critical: Set the Identity Source name to match your previous identity source name exactly to preserve all permissions.

9. Click Add to save the configuration.

10. Test authentication by logging in with an LDAP user account.

Additional Information

For more information, see:

Related Articles:

Important Notes:

  • Load-balanced LDAP configurations are fully supported for both AD-over-LDAP and standard LDAPS configurations
  • When changing identity sources, always use the exact same name as the previous source to preserve vCenter permissions
  • The sAMAccountName attribute is only mandatory for AD-over-LDAP configurations, not for standard LDAP/OpenLDAP configurations
Powered by Wolken Software