Deleting a domain group from vCenter fails with 'Unexpected error encountered while performing your action'
search cancel

Deleting a domain group from vCenter fails with 'Unexpected error encountered while performing your action'

book

Article ID: 435603

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Failure in deleting the domain group from the vCenter group: 'Unexpected error encountered while performing your action'.
  • The group was previously a part of the domain group, but was already deleted from the domain controller.
  • Following error message in /var/log/vmware/sso/ssoAdminServer.log

    YYYY-MM-DDTHH:MM:SS.105Z INFO ssoAdminServer[138:pool-2-thread-31] [OpId=mnsmcdgh-20382-auto-fqa-h5:70005717] [com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: user, Domain: domain.com} with role 'Administrator'] Removing principals '[(Name: Group, Domain: domain.com)}' from local group 'Administrators'
    YYYY-MM-DDTHH:MM:SS.801Z ERROR ssoAdminServer[138:pool-2-thread-31] [OpId=mnsmcdgh-20382-auto-fqa-h5:70005717] [com.vmware.identity.idm.server.IdentityManager] Failed to find person user [[email protected]] in tenant [vsphere.local]
    YYYY-MM-DDTHH:MM:SS.278Z INFO ssoAdminServer[138:pool-2-thread-31] [OpId=mnsmcdgh-20382-auto-fqa-h5:70005717] [com.vmware.identity.server.provider.vmwdirectory.VMwareDirectoryProvider] principalDn [Group] is not a member for group [Group], skipping LdapMod Op
    YYYY-MM-DDTHH:MM:SS.278Z INFO ssoAdminServer[138:pool-2-thread-31] [OpId=mnsmcdgh-20382-auto-fqa-h5:70005717] [com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] Vmodl method PrincipalManagementService.removePrincipalsFromLocalGroup return value is [false]

Environment

VMware vCenter Server 8.0.x

Cause

The group has been deleted from the AD side, resulting in a verification failure between VC and the authentication source during the group deletion process.

Resolution

Locate and remove the orphaned SID.

  1. Locate the SID from ssoAdminServer.log or use the command below.

    /usr/lib/vmware-vmafd/bin/dir-cli group list --name <Group_name>

  2. Use JXplorer to delete the externalObjectID from the Group, else
    Use the ldapmodify command to delete the externalObjectID.

    ldapmodify -h localhost -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W << EOF
    dn: cn=<Group_name>,cn=Builtin,dc=vsphere,dc=local
    changetype: modify
    delete: member
    member: externalObjectId=<[email protected]>
    EOF

  3. Verify that the orphaned SID is removed successfully.

    /usr/lib/vmware-vmafd/bin/dir-cli group list --name <Group_name>

  4. Re-delete the Active Directory group from the vCenter Local group.

Additional Information

Adding a Domain User to vCenter Group fails with error 'Unexpected error encountered while performing your action'

Powered by Wolken Software