Unable to load AD users after LDAPs Identity source configured, getting an error as 'A vCenter Single Sign-On service error occurred'
Article ID: 411450
Updated On:
Products
VMware SDDC Manager
VMware vCenter Server 8.0
VMware vCenter Server
Issue/Introduction
Trying to list users using below click path,
vCenter UI >> Administration >> Single Sign-On >> Users and Groups >> Users >> Selecting AD Domain.
Environment
vCenter 7.x
vCenter 8.x
Cause
Below log entries are seen in vCenter,
/var/log/vmware/sso/ssoAdminServer.log
yyyy-mm-ddThh:mm:ss.713Z ERROR ssoAdminServer[513:pool-2-thread-410] [OpId=f112cb40-9235-4eac-9c65-02e9fb19700d] [com.vmware.identity.idm.server.IdentityManager] Failed to find person users [Criteria : searchString=test, domain=domain.com] in tenant [vsphere.local]
yyyy-mm-ddThh:mm:ss.713Z ERROR ssoAdminServer[513:pool-2-thread-410] [OpId=f112cb40-9235-4eac-9c65-02e9fb19700d] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.InvalidPrincipalException: Required user identity attribute [uid] is missing for user dn=[cn=username,ou=users,o=OU]'
com.vmware.identity.idm.InvalidPrincipalException: Required user identity attribute [uid] is missing for user dn=[cn=username,ou=users,o=OU]
..
..
yyyy-mm-ddThh:mm:ss.713Z ERROR ssoAdminServer[513:pool-2-thread-410] [OpId=f112cb40-9235-4eac-9c65-02e9fb19700d] [com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl] Idm client exception
com.vmware.identity.idm.InvalidPrincipalException: Required user identity attribute [uid] is missing for user dn=[cn=username,ou=users,o=OU]
/var/log/vmware/sso/vsphere_client_virgo.log
[yyyy-mm-ddThh:mm:ss.739Z] [ERROR] p-nio-127.0.0.1-5090-exec-12 c.v.vsphere.client.sso.admin.impl.PrincipalManagementServiceImpl PrincipalManagementServiceImpl.findUsers com.vmware.vim.binding.sso.fault.InternalFault: Invalid principal: cn=username,ou=users,o=OU
Caused by: The specified principal (cn=username,ou=users,o=OU) is invalid.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
..
..
[yyyy-mm-ddThh:mm:ss.742Z] [ERROR] p-nio-127.0.0.1-5090-exec-12 com.vmware.vsphere.client.h5.pscui.controller.PscController Error while fetching the users and/or groups com.vmware.vsphere.client.sso.admin.exception.SsoBackendException: A vCenter Single Sign-On service error occurred
Validate the user configuration in AD, UID would be missing for the specified user listed in the log entries.
Resolution
vCenter validates UID attribute of usernames to list AD users.
Hence UID needs to be added for the specified user.
Feedback
Yes
No
Powered by
