vCenter

 View Only
  • 1.  Web client does not work when AD servers are down?

    Posted Jun 10, 2014 03:16 AM

    Hello all,

    In my lab I have an ESXi 5.1 host that runs a Windows DC as a VM. I just installed vCenter Server 5.5u1a (all components) on a VM on my personal workstation to test out.

    My Windows DC VM ended up being shut off today. I wanted to log into the web client and turn it back on.

    I know I cannot use a Windows domain account because my DC is down. So, I tried to log in with the administrator@vsphere.local account. I can log in but nothing works. It does not show my vCenter server and I get the error messages: "Could not connect to one or more vCenter Server systems: https://myvcenterFQDN:443/sdk" and "Client is not authenticated to VMware Inventory service - https://myvcenterserverfqdn">https://myvcenterserverfqdn">https://myvcenterserverfqdn:10443"

    Can someone tell me if this is by design? I would have thought I could log in and administer the vSphere environment with a local SSO account without depending on AD. Thanks!



  • 2.  RE: Web client does not work when AD servers are down?

    Posted Jun 10, 2014 05:05 AM

    Even the administrator@vsphere.local account needs explicit permissions in VC to be able to administer VC. Have you provided this?

    Regards

    Girish



  • 3.  RE: Web client does not work when AD servers are down?

    Posted Jun 10, 2014 12:00 PM

    Yes, I've left everything as default which has the administrator@vsphere.local with permissions on the VC Server. Like I said, everything displays fine when my domain controller is on. But when my domain controller is off, I get these error messages. I don't understand why since I would think there should be no dependency on Active Directory.



  • 4.  RE: Web client does not work when AD servers are down?

    Posted Jun 10, 2014 12:04 PM

    This particular KB says that even if 1 identity source is down, everybody is affected.

    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2048177

    You can try removing the identity source and adding it back later as detailed in the KB if its a viable solution.

    Regards

    Girish



  • 5.  RE: Web client does not work when AD servers are down?

    Posted Jun 10, 2014 12:13 PM

    I saw that KB as well. However, like I said the web client just doesn't seem to work when AD is down and I can't make any changes. Even going to SSO configuration, the list of Identity Sources can't be retrieved so I can't even modify that.



  • 6.  RE: Web client does not work when AD servers are down?

    Posted Jun 10, 2014 12:19 PM

    hmm.. the only option seems to be to connect directly to the host, boot up the AD VM :smileyhappy:

    Regards

    Girish



  • 7.  RE: Web client does not work when AD servers are down?

    Posted Jun 10, 2014 12:26 PM

    OK, can you tell me why though? Is this expected behavior? I would have thought there would be no AD dependency when using a local SSO account?



  • 8.  RE: Web client does not work when AD servers are down?

    Posted Jun 11, 2014 09:30 AM

    Well as per the KB its for security purposes:

    "The vCenter Security subsystem specifically allows assigning permissions on multiple levels in the vCenter hierarchy, whereby a group of users might have less permissions on an inventory object as compared to the permissions on the parent inventory object. When such permissions are assigned to a group when there is a malfunctioning identity source, not having the list of groups from this domain might allow for unauthorized access. Logon is therefore prevented if any identity source is down."


    Regards

    Girish