Home > Blogs > VMware vSphere Blog

vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups

I was testing vSphere 5.5 upgrades in my lab and came across an interesting situation that you need to be aware of.  In a nutshell, pay attention to how your Active Directory groups are configured on your vCenter Server and avoid nesting any domain level user or group accounts inside of local groups.

Here’s the situation I ran into.  My lab was running a vanilla vCenter 5.1 install.  In vCenter I only had one permission assigned, which is for the local “Administrators” group.

With this setup I was able to login with any user who was a member of the local “Administrators” group.  This included *both* the local administrator account as well as the domain administrator account.  The reason the domain administrator was able to login is because when my vCenter server joined the AD domain the “Domain Admins” group was automatically added as a member of the local “Administrators” group.  So the domain administrator’s access was obtained through a nested group membership – the  domain group “Domain Admins” was nested inside the local “Administrators” group, which was given permissions to vCenter.

While this nesting of a domain group inside of a local group worked with 5.1, it does not work with 5.5.  I discovered this following a successful upgrade to vCenter 5.5.  After the upgrade I could login as the domain administrator, but I couldn’t see any objects in the vCenter inventory.  (see http://kb.vmware.com/kb/2059528)

To fix this I had to explicitly assign permissions to the vCenter server for the “Domain Admins” group.   To do this I logged in as the local administrator, selected the vCenter server, then went to the “Manage” and “Permissions” tabs.  There I added full admin permissions for the “Domain Admins” group.

The take away here is when moving to vSphere 5.5, whether a new install or an upgrade, watch your group memberships and avoid nesting domain users and groups in with local groups.  Again, more information can be found in this knowledge base article: http://kb.vmware.com/kb/2059528.

23 thoughts on “vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups

  1. Steve

    What about Domain groups nested inside System-Domain groups? We are about to upgrade from 5.1 U1 and our SSO configuration has our Domain Admins nested inside the Administrators@System-Domain which itself is nested inside __LSAdministrators__@System-Domain. Rights are then granted to __LSAdministrators__. Do you know if this is broken in 5.5 as well?

  2. Pingback: monkeydust.net » VMWare VCenter No Longer Shows Any Servers After Upgrading to 5.5

  3. LincolnIT

    Thank you for taking the time to write this. It worked perfectly!! I can’t understand why this didn’t propagate with the upgrade. Appears to be an oversight.

  4. Pingback: Welcome to vSphere-land! » vSphere 5.5 Link-O-Rama

  5. aenagy

    Does this affect nested domain groups? For example, we create a domain local group and grant it Administrator in vCenter and then make the suitable global groups with the actual user accounts a member of that domain local group.

  6. giftcode

    Pretty nice post. I just stumbled upon your weblog and wanted to mention that I have truly loved browsing your weblog posts.

    After all I will be subscribing for your rss feed and I am
    hoping you write once more very soon!

  7. Pingback: VMware: Current known issues vCenter Server 5.5 « Bart's Weblog

  8. Josh Siddon

    Thanks for the post. This really saved me. I was killing myself reading everything I could find to fix this issue.

  9. Loren

    Nested AD domain groups appear to be working with vCenter permissions, but not with SSO permissions. I’ve configured an AD domain as a default identity source and mapped the group vCenter-Admins to the SSO Administrator role. I’ve also granted that group the Administrator role in vCenter. I’ve nested another group, Tier-3-Admins, in vCenter-Admins. My user is a member of Tier-3-Admins. With this setup, I have full administrator permissions to vCenter, but not administrator permissions to SSO. If I add my user account directly to vCenter-Admins, then I do have administrator permissions to SSO.

  10. DaveS

    Unlike Loren (Nov 1 posting), I could only get the desired results by explicitly adding the individual usernames to both vCenter Permissions and SSO Administrators. AD group membership seems to have no effect, though AD authentication works fine.

    1. DaveS

      I’ve repeated my testing, and found exactly the results reported by Loren — SSO AD group membership does not work (I must explicitly add individual SSO Admins; using Domain Admins does not work), but using Domain Admins for vCenter Permissions works fine. Thanks.

  11. 100 garcinia cambogia

    Hi! I know this is kinda off topic but I’d figured I’d ask.
    Would you be interested in trading links or maybe guest writing a blog post or vice-versa?

    My website covers a lot of the same subjects as yours and I believe we could greatly benefit from each other.
    If you happen to be interested feel free to send me an
    email. I look forward to hearing from you! Terrific blog by the way!

  12. Pingback: vCenter SSO nested groups

  13. Pingback: vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups | VMware vSphere Blog – VMware Blogs | NizMoTek IT Solutions

  14. Pingback: www.vExperienced.co.uk » vRealize Orchestrator 6.0 – deployment gotchas

  15. I Gno Nothing

    I know this is an old post, but I still had this problem 2.5yrs after the OP and found the solution.
    1. Log into vSphere as ‘administrator@vsphere.local’
    2. From the ‘Home’ menu, click ‘Roles’ in the Administration section
    3. Under Access Control, click ‘Roles’ from the left navigation menu
    4. Click ‘Adminstrator’ from the middle window pane
    5. Now the far right window will show the ‘vsphere.local\Administrator’ user for your vCenter server
    Click on that line and now the name of your vCenter server should be a hyperlink
    6. Click that hyperlink
    You should now be on the Administration page
    7. Go to the ‘Manage’ > ‘Permissions’ tab
    8. Click the plus sign ‘+’ to add
    9. At the top right, change the drop-down from ‘No access’ to ‘Administrator’
    10. At the bottom-left, click ‘Add’
    11. Change Domain to your AD/LDAP domain
    12. Search/Select the desired group which you want to become an Administrator of VSphere
    click ‘Add’
    click ‘OK’
    13. Click OK again to apply your permission change

    You should see your newly added group on this page, as well as on the Access Control > Roles > Administrator section.
    And you should now be able to log into vSphere with your domain account, which is a member of the aforementioned group.

  16. Kristofer

    Thanks a bunch for sharing this with all folks you actually know what you are speaking
    approximately! Bookmarked. Please additionally consult with my web site =).
    We could have a hyperlink alternate arrangement among us

  17. Pingback: Vmware Single Sign On |

  18. Pingback: Vmware Single Sign On | Workers Compensation lawyer LA

  19. Pingback: vcenter 5.5 manage 5.1 | manage my link

Leave a Reply

Your email address will not be published. Required fields are marked *