Active Directory Group Members Unable to Log in to Aria Operations UI - 401 Unauthorized Error
search cancel

Active Directory Group Members Unable to Log in to Aria Operations UI - 401 Unauthorized Error

book

Article ID: 422480

calendar_today

Updated On:

Products

VCF Operations VMware vCenter Server

Issue/Introduction

Certain Active Directory (AD) users, who are members of a Security Group assigned permissions in vCenter, are unable to log in to the Aria Operations (formerly vRealize Operations/vROPS) User Interface (UI).

Fails with below Error,

401 Unauthorized Error : Unable to authorize VMware Aria Operations/vCenter Server API with the provided credentials

Environment

 

  • vCenter Server : 8.0.x

  • Aria Operations : 8.18.x

 

Cause

The primary cause is an incorrect configuration of the Base DN (Distinguished Name) value within the Active Directory Authentication Source settings in Aria Operations.

Although the AD Security Group has been assigned the necessary permissions (e.g., Read-Only) at the vCenter level, the Aria Operations appliance is unable to correctly query or synchronize with the AD domain to authorize these users due to the malformed or incorrect Base DN entry.

Resolution

Step 1: Obtain the Correct Base DN from Active Directory

  1. Connect to an Active Directory server or a machine with the Active Directory Users and Computers (ADUC) management console installed.

  2. Open Active Directory Users and Computers (dsa.msc).

  3. Go to the View menu and enable Advanced Features.

  4. Navigate through the tree structure to locate the Organizational Unit (OU) or Container that holds the user or group objects intended to be synchronized with Aria Operations.

  5. Right-click on the relevant OU/Container and select Properties.

  6. In the Properties window, select the Attribute Editor tab.

  7. Find the distinguishedName attribute in the list.

  8. Select the distinguishedName attribute and click the View or Edit button.

  9. Copy the exact entry displayed in the Value field. This is the correct Base DN to use in the Directory Connection configuration (e.g., OU=Users,DC=example,DC=com).

Step 2: Update the Authentication Source in Aria Operations

  1. Log in to the Aria Operations UI with an administrator account.

  2. Navigate to Administration Control Panel, and then click the Authentication Sources tile.

  3. Select the existing Active Directory Authentication Source configuration and click Edit.

  4. Paste the correct Base DN value copied in Step 1.9 into the corresponding field.

  5. Save the configuration and test the connection.

  6. Confirm End User should be able to login now.

Additional Information

https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-configuration-guide-8-18/-configuring-administration-settings/managing-user-access-control/authentication-sources-overview.html 

Powered by Wolken Software