Assigning a role to a domain user in SDDC Manager fails with the message: "Failed to update role details. Permission not found."
search cancel

Assigning a role to a domain user in SDDC Manager fails with the message: "Failed to update role details. Permission not found."

book

Article ID: 415628

calendar_today

Updated On:

Products

VMware SDDC Manager VMware vCenter Server

Issue/Introduction

During the process of adding a user or group and assigning a role in SDDC Manager, the operation fails with the error: "Failed to update role details. Permission not found."

Reviewing the logs located at /var/log/vmware/sso/ssoAdminServer.log on the management vCenter Server:

YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[125:pool-2-thread-25] [OpId=########-####-####-####-########] [com.vmware.identity.vlsi.SessionManagerImpl] User {Name: user, Domain: test.lab} with role 'Administrator' logged in successfully.
YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[125:pool-2-thread-25] [OpId=########-####-####-####-########] [com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: user, Domain: test.lab} with role 'Administrator' is authorized for method call 'IdentitySourceManagementService.getSslCertificateManager'
YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[119:pool-2-thread-19] [OpId=########-####-####-####-########] [com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: user, Domain: test.lab} with role 'Administrator' is authorized for method call 'PrincipalDiscoveryService.findPersonUser'
YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[125:pool-2-thread-25] [OpId=########-####-####-####-########] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] [User {Name: user, Domain: test.lab} with role 'Administrator'] Find person user {Name: username, Domain: domainname.local}
YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[125:pool-2-thread-25] [OpId=########-####-####-####-########] [com.vmware.identity.idm.server.IdentityManager] Failed to find person user [[email protected]] in tenant [test.lab]
YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[125:pool-2-thread-25] [OpId=########-####-####-####-########] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.InvalidPrincipalException: Principal id [email protected] not found'
com.vmware.identity.idm.InvalidPrincipalException: Principal id username@domain.local not found
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.lookupAccountLdapEntry(BaseLdapProvider.java:606) ~[libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.findAccountLdapEntry(BaseLdapProvider.java:752) ~[libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.findAccountLdapEntry(BaseLdapProvider.java:678) ~[libvmware-identity-idm-server.jar:?]
 
 

Environment

SDDC Manager 5.x
SDDC Manager 9.x

Cause

The AD over LDAP identity source was configured with the domain name domain.local, which does not match the actual domain domainname.local, resulting in user addition and role assignment failures due to lookup mismatch.

Resolution

  • To verify the Identity Source configuration:

    • On the management vCenter Server, run the following command: sso-config.sh -get_identity_sources
      IdentitySourceName        :  domain.local
DomainType                :  EXTERNAL_DOMAIN
alias                     :  domain
authenticationType        :  PASSWORD
userBaseDN                :  dc=domainname,dc=local
groupBaseDN               :  dc=domainname,dc=local
providerType              :  IDENTITY_STORE_TYPE_LDAP_WITH_AD_MAPPING
FriendlyName              :  domainname.local
URL                       :  ldap://<DC_Name>:389
    • On SDDC Manager:
      • In the navigation pane, click Developer Center
      • API Explorer > API for Managing Identity Providers
      • Select GET > /v1/identity-providers
  • Remove the existing AD over LDAP identity source configuration from the Single Sign-On settings in SDDC Manager:
    • In the navigation pane, click Administration > Single Sign On.
    • Click Identity Provider.
    • Select the Incorrect Identity Source > Remove

  • Reconfigure the AD over LDAP identity source:
    • In the navigation pane, click Administration > Single Sign On.
    • Click Identity Provider.
    • Click Add and select AD over LDAP.
    • The Connect Identity Provider wizard opens.
    • Click Next.
    • Enter the server settings and click Next.

  • Retry the role assignment process in SDDC Manager.
Powered by Wolken Software