Unable to administer vCenter Single Sign-On after adding a User Group and individual users from a Directory Service (OpenLDAP or Active Directory)
Article ID: 328321
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
After adding a User Group and individual users from your Directory Service configured within vCenter Single Sign-On to any of the SSO Security Groups, you experience these symptoms:
- Logging in with your user account to the vSphere Web Client, you are unable to see the Single Sign-On - Administration section
- Logging in with your user account to the vSphere Web Client, you are unable to access the Single Sign-On - System Configuration section
- Attempting to access the Single Sign-On - System Configuration section, it reports:
You do not have permissions to view this page. You must be a member of the SystemConfiguration.Administratos group in vCenter Single Sign-On to access System Configuration.
- You are unable to administer vCenter Single Sign-On even though your Directory Service account is in the SSO Administrators group.
- If you log in with the [email protected], you are able to see the Single Sign-On Administrator section.
Note: The SSO Security Groups include the Administrators (in vSphere 5.5 and 6.0), ComponentManager.Administrators, SystemConfiguration.Administrators, LicenseService.Administrators for vSphere 6.0, located at: Administration > Single Sign-On > Users and Groups > Groups > Administrators group.
Resolution
This issue is resolved in vCenter Server 6.0 Update 2, available at VMware Downloads. For more information, see VMware vCenter Server 6.0 Update 2 Release Notes. Additionally, see the Additional Information section Active Directory Groups not supported with Group-Based Permissions for caveats surrounding the groups that may be used.
To work around this issue, manually assign each user in to the individual Single Sign-On Security Groups in which the user requires access.
Notes: Non-SSO directory users (Active Directory users) will need to be added to the individual SSO Security groups. Group permissions will not propagate to sub-groups when adding non-SSO users to SSO Security groups.
The use of User Groups is not supported with vCenter Single Sign-On Security Groups. The use of nesting Users within vSphere Groups, such as the vSphere Administrators Group, is not supported. To access the individual vSphere Security Groups, perform one of these methods:
For Microsoft Active Directory environments:
- Assign individual users from your Active Directory to the vCenter Single Sign-On Administrators group.
Note: While using User Groups from Active Directory may work after adding the Groups to the Administrators group within vCenter Single Sign-On, this is currently not supported.
For OpenLDAP environments:
- Assign individual users from your OpenLDAP Directory service to the the vCenter Single Sign-On Administrators group.
Note: For OpenLDAP environments, the use of User Groups is not currently supported when added to the vCenter Single Sign-On Administrators group.
Additional Information
Active Directory Groups not supported with Group-Based Permissions:
The following list contains Active Directory groups that are not supported for use with Group-based permissions within the Single Sign-On Security Groups. Adding any of these groups to any of the Single Sign-On Security Groups will not provide the users the inherent permissions defined by the group.Null Authority
Nobody
World Authority
Everyone
Local Authority
Local
Console Logon
Creator Authority
Creator Owner
Creator Group
Creator Owner Server
Creator Group Server
Non-unique Authority
NT Authority
Dialup
Network
Batch
Interactive
Logon Session
Service
Anonymous
Proxy
Enterprise Domain Controllers
Principal Self
Authenticated Users
Restricted Code
Terminal Server Users
Remote Interactive Logon
This Organization
IIS User
Local System
NT Authority
NT Authority
Enterprise Read-only Domain Controllers
Builtin Administrators
Builtin Users
Builtin Guests
Power Users
Account Operators
Server Operators
Print Operators
Backup Operators
Replicators
NTLM Authentication
SChannel Authentication
Digest Authentication
NT Service
All Services
NT VIRTUAL MACHINE\\Virtual Machines
Untrusted Mandatory Level
Low Mandatory Level
Medium Mandatory Level
Medium Plus Mandatory Level
High Mandatory Level
System Mandatory Level
Protected Process Mandatory Level
Secure Process Mandatory Level
BUILTIN\\Pre-Windows 2000 Compatible Access
BUILTIN\\Remote Desktop Users
BUILTIN\\Network Configuration Operators
BUILTIN\\Incoming Forest Trust Builders
BUILTIN\\Performance Monitor Users
BUILTIN\\Performance Log Users
BUILTIN\\Windows Authorization Access Group
BUILTIN\\Terminal Server License Servers
BUILTIN\\Distributed COM Users
BUILTIN\\Cryptographic Operators
BUILTIN\\Event Log Readers
BUILTIN\\Certificate Service DCOM Access
BUILTIN\\RDS Remote Access Servers
BUILTIN\\RDS Endpoint Servers
BUILTIN\\RDS Management Servers
BUILTIN\\Hyper-V Administrators
BUILTIN\\Access Control Assistance Operators"
BUILTIN\\Remote Management Users
Authentication authority asserted identity
Service asserted identity
Não é possível administrar o vCenter Single Sign-On após a inclusão de um grupo de usuários e de usuários individuais de um serviço de diretório (OpenLDAP ou Active Directory)
No se pudo administrar vCenter Single Sign-On después de agregar un grupo de usuarios y usuarios individuales desde un servicio de directorio (OpenLDAP o Active Directory)
从目录服务(OpenLDAP 或 Active Directory)添加用户组和各个用户后无法管理 vCenter Single Sign-On
Feedback
Yes
No
Powered by
