After removing and re-adding an "Active Directory over LDAP" identity source on the vSphere UI, domain users are unable to perform an "Edit Settings" action on VMs
search cancel

After removing and re-adding an "Active Directory over LDAP" identity source on the vSphere UI, domain users are unable to perform an "Edit Settings" action on VMs

book

Article ID: 437560

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When domain users are trying to edit the settings on a VM this error is observed - 

Error Loading Data

An error occurred while trying to load data. This could be due to temporary outage. You can retry the operation by clicking retry button.

Error Details - com.vmware.vim.binding.vmodl.MethodFault

  • The error below is observed in the /var/log/vmware/vmware-sps/sps.log file at the time of the domain user attempting to edit the settings on a VM -

YYYY-MM-DDThh:mm:ss.sss [pool-x-thread-xx] INFO opId=vb-xxxx:RiseToVisePropertyProviderAdapter:xxxxx-xxxx-xx:xxxxxxxx com.vmware.pbm.vapi.authorization.AuthorizationManagerImpl - [getEffectivePrivilege] Logged in user name is xxxxx\xxxxx
YYYY-MM-DDThh:mm:ss.sss [pool-x-thread-xx] ERROR opId=q-xxxx:xxxx-getProperties:urn:vmomi:VirtualMachine:vm-xxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxxxx:RiseToVisePropertyProviderAdapter:xxxxx-xxxx-xx:xxxxxxxx com.vmware.vim.storage.common.serviceclient.identity.impl.AuthenticatedSsoManagerImpl - Could not find the domain name of the username xxxxx\xxxxx
YYYY-MM-DDThh:mm:ss.sss [pool-x-thread-xx] ERROR opId=q-xxxx:xxui-getProperties:urn:vmomi:VirtualMachine:vm-xxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxxxx:RiseToVisePropertyProviderAdapter:xxxxx-xxxx-xx:xxxxxxxx com.vmware.pbm.vapi.authorization.ProfilePermissionAPIValidatorImpl - [checkProfileValidity] Exception occurred during
getEffectivePrivilege
java.lang.NullPointerException
        at com.vmware.pbm.vapi.authorization.AuthorizationManagerImpl.getEffectivePrivilege (AuthorizationManagerImpl. java:1011)

Environment

VCF 5.2.2.0

Cause

An incorrect domain alias was specified when the identity source was re-added on the vSphere UI page > Administration > Single Sign On > Configuration > Identity Sources > Add 

Resolution

Re-add the identity source with the correct domain alias being specified.

Per the documentation here -

Domain alias -

For Active Directory identity sources, the domain's NetBIOS name.

Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.

For OpenLDAP identity sources, the domain name in capital letters is added if you do not specify an alias.

Additional Information

For an LDAPS connection - certificates need to be provided when adding the identity source - to retrieve them use this command:

openssl s_client -showcerts -connect ldaps_server_fqdn:port

Powered by Wolken Software