posted

2 Comments

Updated 1 Nov 2013

The issue of running both your Active Directory and Single-Sign On server on Windows Server 2012 which is mentioned in this blog has been fixed with the vCenter Server 5.5.0a patch.

  • VMware vCenter Server™ 5.5.0a | 31 OCT 2013 | Build 1378901
  • vCenter Server Appliance 5.5.0a | 31 OCT 2013 | Build 1398493

Last week, along with the rest of you, I learned about an authentication issue with vSphere Single Sign-On version 5.5 when running both the Active Directory (AD) domain control and the vCenter Single Sign-On Server on Windows Server 2012 (http://kb.vmware.com/kb/2060901).

In a nutshell, when your AD domain controller and your vCenter Single Sign-On are both running on Windows Server 2012, the single sign-on is unable to authenticate AD users.  You get a “Cannot parse group information” error:

A couple of things to note about this issue that are not called out in the knowledge base (KB) article:

1)   You are not locked out.  This issue is specific to active directory authentication.  You can still login using the single sign-on administrator account (administrator@vsphere.local), which in vSphere 5.5 now has full privileges to the vCenter Inventory.  You can also still authenticate using local OS users, the local Administrator account for example.

2)   This issue has nothing to do with the functional level of the AD forest or domain.  It applies any time you are running both your AD domain and your vCenter Single Sign-On on Windows Server 2012.  This issue is not affected by the functional level of the forest or domain.

Fortunately, there is an easy fix.  On the Single Sign-On server simply replace the “C:WindowsSystem32idm.dll” file with the patch that is attached to the KB article (following the steps outlined in the KB article of course).