VMware Identity Manager is slow during Active Directory sync
search cancel

VMware Identity Manager is slow during Active Directory sync

book

Article ID: 336445

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

When performing an Active Directory sync utilizing a LDAP or Integrated Windows Authentication Directory for Groups and or Users, it takes exponentially long time to complete syncs.

Environment

VMware Identity Manager 2.x

Cause

DNS SRV records point to all the domain controllers in the environment including geographically remote or slow linked domain controllers.

Resolution

To fix the issue, optimize the Directory syncs by pointing to specific Domain Controllers overriding DNS SRV records.
 
When using LDAP Directory:
 
Create a domain_krb.properties file on the Workspace appliance and update the krb5.conf file with the domains used by Workspace and Horizon View.
 
Note: In the doman_krb.properties file, the domain names specified are required to be in lower case. Mixed cases and uppers cases are not supported.
 
To create a domain_krb.properties file on the Workspace appliance and update the krb5.conf file with the domains used by Workspace/vIDM:
  1. From the Workspace Portal appliance command line, log in as the root user.
  2. Change directories to /usr/local/horizon/conf and create a file called domain_krb.properties.
  3. Edit the domain_krb.properties file to add the list of the domain-to-host values. Use only lowercase characters when you type the domain name. Add the information as:

    < AD Domain >=< host:port >, < host2:port2 >, < host3:port3 >

    For example, enter the list as:

    example.com=examplehost.example.com:389,examplehost2.example.com:389
     
  4. Change the ownership of the domain_krb.properties file to:

    chown horizon:www /usr/local/horizon/conf/domain_krb.properties
 

When using Integrated Windows Authentication Directory:

Create a domain_krb.properties file on the Workspace appliance and update the krb5.conf file with the domains used by Workspace/vIDM.
 
Note: In the doman_krb.properties file, the domain names specified are required to be in lower case. Mixed cases and uppers cases are not supported.
 
To create a domain_krb.properties file on the Workspace appliance and update the krb5.conf file with the domains used by Workspace/vIDM:
  1. From the Workspace Portal appliance command line, log in as the root user.
  2. Change directories to /usr/local/horizon/conf and create a file called domain_krb.properties.
  3. Edit the domain_krb.properties file to add the list of the domain-to-host values. Use only lowercase characters when you type the domain name. Add the information as:

    < AD Domain >=< host:port >, < host2:port2 >, < host3:port3 >

    For example, enter the list as:

    example.com=examplehost.example.com:389,examplehost2.example.com:389
     
  4. Change the ownership of the domain_krb.properties file to:

    chown horizon:www /usr/local/horizon/conf/domain_krb.properties
     
  5. Update the realms section of /etc/krb5.conf file with the same domain-to-host values that you have used in the domain_krb.properties file as:

    kdc=examplehost.example.com (do not include the port numbers)

    For example:

    [realms]
    GAUTO-QA.COM = {
    auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
    auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
    auth_to_local = RULE:[1:$0\$1](^GAUTO2QA\.GAUTO-QA\.COM\\.*)s/^GAUTO2QA\.GAUTO-QA\.COM/GAUTO2QA/
    auth_to_local = RULE:[1:$0\$1](^GLOBEQE\.NET\\.*)s/^GLOBEQE\.NET/GLOBEQE/
    auth_to_local = DEFAULT
    kdc = examplehost.example.com
    kdc = examplehost2.example.com
    }


    Note: It is possible to have multiple kdc entries as shown in this example. However, it is not a requirement, as in most cases there is only a singular kdc value. If you choose to define additional kdc value's, each line will have a kdc entry which will define a domain controller.
  6. Run this command to restart the workspace service:

    service horizon-workspace restart

    Note: Joining and dis-joining of the domain will overwrite the krb5.conf files KDC values.

    In case if the issue persists, please add the domain information ( which was added under domain_krb.properties ) in the /etc/hosts file as well.

    Example :

    • IP address of examplehost1, examplehost1.example.com
    • IP address of examplehost2, examplehost2.example.com


Additional Information

Synchronizing VMware Horizon View Pool in Workspace portal fails with error: Failed to complete View sync due to a problem with the View Connection Server