Symptoms
- After upgrading to vCenter Server 5.1 Update 1, you are unable to log in using the vSphere Web Client or domain username/password credentials via the vSphere Client.
- In the imsTrace.log file, located at VC Installation Directory\SSOServer\logs\, you see entries similar to:2013-04-26 18:35:51,928, [LDAP Parallel Search Thread-15], (GroupAccessSQL.java:1775), trace.com.rsa.ims.admin.dal.sql.GroupAccessSQL, DEBUG, host.domain.com,,,,SELECT GROUP_ID FROM IMS_PRINCIPAL_GROUP WHERE PRINCIPAL_ID = ?
2013-04-26 18:35:51,928, [castle-exec-11], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, host.domain.com,,,,Error while trying to generate RequestSecurityTokenResponse
com.rsa.common.UnexpectedDataStoreException: Failed group search, unexpected interrupt
at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getPrincipalGroupsFromFSP(GroupAccessLDAP.java:1338)
at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getMemberOfGroupsInBatchForAD(GroupAccessLDAP.java:1273) - Logging in using the Use Windows session credentials option via the vSphere Client is successful.
Cause
This issue can occur if the specified vCenter Server login domain user account is associated with a large number of domain groups and multiple domains are configured as SSO identity sources. The precise number of groups at which this issue can occur varies due to the nature of Active Directory internals. However, it is more likely to occur once domain-group membership for an account exceeds 19.
Resolution
VMware is actively working on a fix for the issue to enable customers with a large number of AD groups to upgrade to vCenter Server 5.1 Update 1.
Customers with SSO configured with multiple domain-based identity sources along with vCenter Server domain user accounts that are associated with a large number of groups should not upgrade to vCenter Server 5.1 Update 1.
If your environment meets the conditions of this issue, upgrading prevents users from logging into vCenter Server using the vSphere Web Client or via domain username/password using the VMware vSphere Client. If you have upgraded, you must log in through the “Use Windows session credentials” option in the respective client.
To work around this issue, use one of these options:
- Log in to vCenter Server via the vSphere Client using the Use Windows session credentials option.
- Work with your Active Directory administrator to modify the group membership of the vCenter Server login account to a minimum.
- Limit the number of domain based identity sources to no more than one.
Source:-
No comments:
Post a Comment