Home > Blogs > VMware vSphere Blog


vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups

I was testing vSphere 5.5 upgrades in my lab and came across an interesting situation that you need to be aware of.  In a nutshell, pay attention to how your Active Directory groups are configured on your vCenter Server and avoid nesting any domain level user or group accounts inside of local groups.

Here’s the situation I ran into.  My lab was running a vanilla vCenter 5.1 install.  In vCenter I only had one permission assigned, which is for the local “Administrators” group.

With this setup I was able to login with any user who was a member of the local “Administrators” group.  This included *both* the local administrator account as well as the domain administrator account.  The reason the domain administrator was able to login is because when my vCenter server joined the AD domain the “Domain Admins” group was automatically added as a member of the local “Administrators” group.  So the domain administrator’s access was obtained through a nested group membership – the  domain group “Domain Admins” was nested inside the local “Administrators” group, which was given permissions to vCenter.

While this nesting of a domain group inside of a local group worked with 5.1, it does not work with 5.5.  I discovered this following a successful upgrade to vCenter 5.5.  After the upgrade I could login as the domain administrator, but I couldn’t see any objects in the vCenter inventory.  (see http://kb.vmware.com/kb/2059528)

To fix this I had to explicitly assign permissions to the vCenter server for the “Domain Admins” group.   To do this I logged in as the local administrator, selected the vCenter server, then went to the “Manage” and “Permissions” tabs.  There I added full admin permissions for the “Domain Admins” group.

The take away here is when moving to vSphere 5.5, whether a new install or an upgrade, watch your group memberships and avoid nesting domain users and groups in with local groups.  Again, more information can be found in this knowledge base article: http://kb.vmware.com/kb/2059528.

15 thoughts on “vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups

  1. Steve

    What about Domain groups nested inside System-Domain groups? We are about to upgrade from 5.1 U1 and our SSO configuration has our Domain Admins nested inside the Administrators@System-Domain which itself is nested inside __LSAdministrators__@System-Domain. Rights are then granted to __LSAdministrators__. Do you know if this is broken in 5.5 as well?

    Reply
  2. Pingback: monkeydust.net » VMWare VCenter No Longer Shows Any Servers After Upgrading to 5.5

  3. LincolnIT

    Thank you for taking the time to write this. It worked perfectly!! I can’t understand why this didn’t propagate with the upgrade. Appears to be an oversight.

    Reply
  4. Pingback: Welcome to vSphere-land! » vSphere 5.5 Link-O-Rama

  5. aenagy

    Does this affect nested domain groups? For example, we create a domain local group and grant it Administrator in vCenter and then make the suitable global groups with the actual user accounts a member of that domain local group.

    Reply
  6. giftcode

    Pretty nice post. I just stumbled upon your weblog and wanted to mention that I have truly loved browsing your weblog posts.

    After all I will be subscribing for your rss feed and I am
    hoping you write once more very soon!

    Reply
  7. Pingback: VMware: Current known issues vCenter Server 5.5 « Bart's Weblog

  8. Josh Siddon

    Thanks for the post. This really saved me. I was killing myself reading everything I could find to fix this issue.

    Reply
  9. Loren

    Nested AD domain groups appear to be working with vCenter permissions, but not with SSO permissions. I’ve configured an AD domain as a default identity source and mapped the group vCenter-Admins to the SSO Administrator role. I’ve also granted that group the Administrator role in vCenter. I’ve nested another group, Tier-3-Admins, in vCenter-Admins. My user is a member of Tier-3-Admins. With this setup, I have full administrator permissions to vCenter, but not administrator permissions to SSO. If I add my user account directly to vCenter-Admins, then I do have administrator permissions to SSO.

    Reply
  10. DaveS

    Unlike Loren (Nov 1 posting), I could only get the desired results by explicitly adding the individual usernames to both vCenter Permissions and SSO Administrators. AD group membership seems to have no effect, though AD authentication works fine.

    Reply
    1. DaveS

      I’ve repeated my testing, and found exactly the results reported by Loren — SSO AD group membership does not work (I must explicitly add individual SSO Admins; using Domain Admins does not work), but using Domain Admins for vCenter Permissions works fine. Thanks.

      Reply
  11. 100 garcinia cambogia

    Hi! I know this is kinda off topic but I’d figured I’d ask.
    Would you be interested in trading links or maybe guest writing a blog post or vice-versa?

    My website covers a lot of the same subjects as yours and I believe we could greatly benefit from each other.
    If you happen to be interested feel free to send me an
    email. I look forward to hearing from you! Terrific blog by the way!

    Reply
  12. Pingback: vCenter SSO nested groups

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>