Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When using the Active Directory (Integrated Windows Authentication) identity source from the vCenter Single Sign-On 5.5 (SSO), Platform Services Controller 6.0 (PSC), or vRealize Automation Identity Appliance, you experience these symptoms: Attempting to browse and add users to the vCenter Server permissions (Local Permission: Hosts and Clusters > vCenter > Manage > Permissions, Global Permissions: Administration > Global Permissions) fails with one of below errors: Cannot load the users for the selected domain.ORError while extracting local SSO users Attempting to browse users from your Active Directory Domain under the Users tab (Administration > Users and Groups) in the vCenter Server fails with the error: com.vmware.identity.idm.IDMException: Failed to establish server connection. Attempting to browse and add users to the vRealize Automation Center permissions fails with the error: System Exception. In the /var/log/vmware/sso/vmware-sts-idmd.log file on the vCenter Single Sign-On or Platform Services Controller, you see entries similar to: [YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f WARN ] [ServerUtils] cannot bind connection: [ldap://<Active Directory Domain Controller FQDN>, null]</time> [YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f ERROR] [ServerUtils] cannot establish connection with uri: [ldap://<Active Directory Domain Controller FQDN>]</time> [YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f INFO ] [ActiveDirectoryProvider] removeDcInfo - domain [<Active Directory Domain Name>], domainFQDN [<Active Directory Domain Controller FQDN>], domainIpAddress [<Active Directory Domain Controller IP]</font></time> [YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f ERROR] [ActiveDirectoryProvider] Failed to get non-GC connection to domain <Active Directory Domain> - domain controller might be offline</time> com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 40287][LW_ERROR_LDAP_LOCAL_ERROR][] at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.LdapSaslBind(LinuxIdmNativeAdapter.java:345) at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.ldap_sasl_bind_s(LinuxLdapClientLibrary.java:676) at com.vmware.identity.interop.ldap.LdapConnection.bindSaslConnection(LdapConnection.java:158) at com.vmware.identity.idm.server.ServerUtils.getLdapConnection(ServerUtils.java:297) at com.vmware.identity.idm.server.ServerUtils.getLdapConnectionByURIs(ServerUtils.java:215) ... [YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 WARN ] [ServerUtils] cannot bind connection: [ldap://<Active Directory Domain Controller FQDN>, null] [YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [ServerUtils] cannot establish connection with uri: [ldap://<Active Directory Domain Controller FQDN>] [YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [ActiveDirectoryProvider] Failed to get non-GC connection to domain <Active Directory Domain Name> in retry com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 40287][LW_ERROR_LDAP_LOCAL_ERROR][] YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [IdentityManager] Failed to find person users [Criteria : searchString=, domain=markit.partners] in tenant [vsphere.local] [YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed to establish server connection' com.vmware.identity.idm.IDMException: Failed to establish server connection ... Caused by: com.vmware.identity.idm.IDMException: Failed to get non-GC connection to domain <Active Directory Domain Name> in retry [YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 WARN ] [ServerUtils] cannot bind connection: [ldap://</time><Active Directory Domain Controller FQDN>, null] [YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 ERROR] [ServerUtils] cannot establish connection with uri: [ldap://</time><Active Directory Domain Controller FQDN>] [YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 ERROR] [IdentityManager] Failed to find person users [Criteria : searchString=po.tenant, domain=<Active Directory Domain Name>] in tenant [vsphere.local] </time> [YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed to establish server connection' </time> com.vmware.identity.idm.IDMException: Failed to establish server connection ... 22 more Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
This issue occurs because the Likewise Kerberos stack requires all DNS servers to be configured with the Reverse Lookup Zone and that all Active Directory Domain Controller (AD DC) Pointer (PTR) records are available. The Likewise Kerberos stack in the Appliances use both Forward and Reverse Name Lookup to canonically organize hostnames for use in service principal names.
To resolve this issue, ensure that all DNS servers have the Reverse Lookup Zone configured and Active Directory Domain Controller (AD DC) Pointer (PTR) records present. Determining the DNS servers of vCenter Server or vRealize Automation ApplianceChecking Active Directory Trust EnumerationChecking Active Directory Domain Controller DNS Resolution Determining the DNS servers of vCenter Server or vRealize Automation Appliance Initiate an SSH connection to the vCenter Server or vRealize Automation Appliance.Enter the root username and password when prompted. Note: If you are using vSphere 6.0, run these commands to switch to the Bash shell: shell.set --enable True shell Run this command to review the DNS servers configured for the vCenter Server or vRealize Automation Appliance: less /etc/resolv.conf For example: nameserver 10.100.10.213 nameserver 10.10.10.252 Note: On VCSA 6.5/6.7, you will see another nameserver entry (nameserver 127.0.0.1). This entry is for the local DNS cache served by Dnsmasq Service. Checking Active Directory Trust Enumeration To determine all trusts that are enumerated by the SSO 5.5, PSC 6.0, or Identity Appliance 6.x: Initiate an SSH connection to the SSO, PSC, or Identity Appliance.Enter the root user name and password when prompted. Note: If using vSphere 6.0, run the following command to switch to the Bash shell: shell.set --enable True shell Run this command to review all of the enumerated trusts from the Likewise Kerberos stack on the SSO, PSC, or Identity Appliance Appliance: less /var/lib/likewise/krb5-affinity.conf Note: This will output all of the trusts currently accessible from the SSO, PSC, or Identity Appliance. You see output similar to: [realms] DomainA.local = { kdc = 10.10.10.213 } DomainB.local = { kdc = 10.10.10.81 } ChildDomainA.DomainB.local = { kdc = 10.10.10.85 } ChildDomainB.DomainB.Local = { kdc = 10.10.10.83 } DomainC.local = { kdc = 10.10.10.252 kdc = 10.10.10.250 } ChildDomainC.DomainB.local = { kdc = 10.10.10.247 kdc = 10.10.10.82 } Run this command to view a list of domain controllers that are not accessible from the Appliance: grep "cannot establish connection with uri:" /var/log/vmware/sso/vmware-sts-idmd.log | cut -d'[' -f4 | sort -nr | uniq -c Or grep "cannot establish connection with uri:" /var/log/vmware/sso/vmware-sts-idmd.log | cut -d'[' -f4 | uniq Note: In 6.5 vCenter Server, try the grep command grep "cannot establish connection with uri:" /var/log/vmware/sso/vmware-sts-idmd.log | cut -d']' -f 3 | cut -d '/' -f 3 | sort | uniq -c if above mentioned commands are not listing any DC names You see output similar to: ldap://localhost:389] ldap://dc2-root.DomainA.local] ldap://Vigrid.local] ldap://DC-4.DomainB.local] ldap://dc-us.DomainC.local] ldap://dc2-nh.DomainB.local] ldap://sqa-dc-3.DomainB.local] ldap://dc2-root.DomainA.local] ldap://DC-4.DomainB.local] Checking Active Directory Domain Controller DNS Resolution: Initiate an SSH connection to the Appliance.Enter the root username and password when prompted. Note: If you are using vSphere 6.0, run this command to switch to the Bash shell: shell.set --enable True shell Using nslookup from the Appliance, run this command to ensure there is DNS resolution for Forward Lookup for the Domain Controllers determined from the Checking Trust Enumeration section: nslookup dc2-root.DomainA.local Note: This command displays the IP address of the Domain Controller. You see output similar to: nslookup dc2-root.DomainB.local Server: 10.100.10.213 Address: 10.100.10.213#53 Non-authoritative answer: Name: dc2-root.DomainB.local Address: 10.10.10.81 To ensure that there is DNS resolution for Reverse Lookup for the domain controllers, run this command: nslookup 10.10.10.81 If the Reverse Lookup is incorrect or missing (there are chances of multiple incorrect PTR records as well), you will see output similar to: nslookup 10.10.10.81 Server: 10.100.10.213 Address: 10.100.10.213#53 Non-authoritative answer: 81.10.10.10.in-addr.arpa name = <Incorrect FQDN>. Authoritative answers can be found from: Repeat Steps 1 to 4 for any additional Active Directory Domain Controllers to determine the records that are missing or incorrect. To resolve the issue when there are missing or incorrect records, use one of these options: Option 1: Create or update the PTR record(s) for the Active Directory Domain Controller(s) on the listed DNS Servers from the Determining the Appliance's DNS Servers section.Option 2: Update the DNS servers configured on the appliance to use DNS servers containing the correct PTR for your Active Directory Domain Controllers records. For more information, see Edit the DNS and IP Address Settings of the vCenter Server Appliance section in the vCenter Server Appliance Configuration guide.Option 3: Add the missing Reverse Lookup records for the Active Directory Domain Controller(s) to the Appliance's /etc/hosts. For more information, see Editing files on an ESX host using vi or nano (1020302). Entries added to /etc/hosts file on the Appliance should be in the following format: IP_Address FQDN_of_Domain_Controller Short_Name_of_Domain_Controller For example: 10.10.10.81 dc2-root.DomainB.local dc2-root
"There is already a native AD IDS or LDAP AD IDS registered", Unable to disjoin/leave vCenter Server Appliance from Active Directory Domain Editing files on an ESX host using vi or nanoRead the article in different language here:Active Directory のユーザーまたはグループを vCenter Server Appliance または vRealize Automation の権限に追加できない无法将 Active Directory 用户或组添加到 vCenter Server Appliance 或 vRealize Automation 权限Es können keine Active Directory-Benutzer oder -Gruppen zu vCenter Server Appliance- oder vRealize Automation-Berechtigungen hinzugefügt werden