Adding an Active Directory identity source in vCenter Single Sign-On 5.5 fails with the error: The host is required to join to domain [domain.local] but joined to [null]
Article ID: 310326
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- Cannot add a vCenter Single Sign-On (SSO) Active Directory identity source
- Adding the identity source fails
- You see the error:
The "Add identity source" operation failed for the entity with the following error message.
The host is required to join to domain [domain.local] but joined to [null]
- When setting up a new Active Directory (Integrated Windows Authentication) identity source, you used the User machine account option
- vCenter Server is not joined to an Active Directory domain
- The Domain name field on the Add identity source window displays WORKGROUP
Environment
VMware vSphere Web Client 5.5.x
VMware vCenter Server 5.5.x
VMware vCenter Server 5.5.x
Cause
Using a machine account when configuring an Active Directory identity source for vCenter Server requires that the Windows system be joined to the domain. If the system is not joined to the domain, SSO cannot leverage the machine account to create the identity source and perform its function as the secure token service user.
Because vCenter Server Appliance is Linux-based, it cannot use the User machine account option. If the vCenter Server Appliance is joined to the domain, it can, however, detect the domain to which it belongs.
Because vCenter Server Appliance is Linux-based, it cannot use the User machine account option. If the vCenter Server Appliance is joined to the domain, it can, however, detect the domain to which it belongs.
Resolution
To resolve this issue in vCenter Server Appliance 5.5, use only the Use SPN option.
For more information on setting up an SPN, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).
For more information on setting up an SPN, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).
To resolve this issue in vCenter Server 5.5 installed on Window Server, join your Windows server running vCenter Server to the domain and then add the Active Directory (Integrated Windows Authentication) identity source to SSO:
Note: If vCenter Server and SSO are installed in separate systems per a custom install, join both systems to the domain.
Note: If vCenter Server and SSO are installed in separate systems per a custom install, join both systems to the domain.
- Join your Microsoft Windows server running vCenter Server to the domain. For more information, see the Microsoft TechNet article How to Join Your Computer to a Domain.
Note: The preceding link was correct as of September 19, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.
- Reboot the server for the changes to take affect.
- After the system is up and the services are started, add the Active Directory (Integrated Windows Authentication) identity source to SSO.
To add the Active Directory (Integrated Windows Authentication) identity source to SSO:
-
- Log into the vSphere Web Client as the SSO administrator, [email protected].
- Click Administration.
- If closed, expand Single Sign-On by clicking on the arrow to the left.
- Click Configuration.
- Click the Identity Sources tab.
- Click the Add Identity Source icon (
) under the options menu.
- Select the Active Directory (Integrated Windows Authentication) option.
Note: If the Domain name field is not automatically propagated with the proper Windows DNS domain, enter the proper DNS domain.
- Select User machine account and click OK.
After the Active Directory identity source is configured, users from that domain can be added to vCenter Server.
Additional Information
Feedback
Yes
No
Powered by
