Choosing the AD domain to list the domain users from SSO Users & Groups fails with the error “Error while extracting local SSO users” in vCenter Server 6.X
Today I managed to face a interesting issue in the customer’s environment. Where customer has joined the appliance as a member of AD domain. Identity source has been further added as integrated windows authentication.
When navigating to Users and Groups under SSO configuration and selecting the domain(ritesh.local in this situation) we ended up with an error “”Error while extracting local SSO users”. None of the domain users were being listed.
Appliance was perfectly joined to domain but yet we were encountering above mentioned error message.
Customer was having multiple domain controllers configured in the environment.
Vsphere-client virgo logs displayed below set of error message.
[INFO ] http-bio-9090-exec-9 70000134 100002 200002 org.springframework.flex.servlet.MessageBrokerHandlerAdapter Channel endpoint ds-core
-amf received request.
[ERROR] data-service-pool-356 70000134 100002 200002 c.v.vsphere.client.sso.admin.impl.PrincipalManagementServiceImpl PrincipalManagementServi
ceImpl.findUsers com.vmware.vim.binding.sso.fault.InternalFault: Idm client exception: Failed to establish server connection
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
IDMD logs were displaying below set of error message.
vsphere.local ab63da3a-b981-4756-9273-b478e186e84c WARN ] [ServerUtils] cannot bind connection: [ldap://ad1.ritesh.local null]
vsphere.local ab63da3a-b981-4756-9273-b478e186e84c WARN ] [ServerUtils] cannot bind connection: [ldap://ad2.ritesh.local, null]
vsphere.local 27120fa0-e90b-409a-925b-e26a45ba7e53 WARN ] [ServerUtils] cannot bind connection: [ldap:/ad1.ritesh.local, null]
vsphere.local 27120fa0-e90b-409a-925b-e26a45ba7e53 WARN ] [ServerUtils] cannot bind connection: [ldap://ad4.ritesh.local, null]
We verified by pinging handful of domain controllers from the appliance to cross-check if it is reachable and we would receive valid response.
Performed a nslookup on the domain controllers one by one. Forward lookup zone was resolving properly but when performing the reverse look up we were not fetching the expected results.
Would provide expected result stating 192.168.2.100
But querying nslookup 192.168.2.100
Was responding with a different fqdn for eg :ad01.vsphere.ritesh.local
This was a catch as binding generally fails when reverse lookup zone for DC are not properly configured in DNS or the underlying pointer(PTR) record does not exist.
To isolate this issue we edited the host file residing under /etc/hosts with IP address and the corresponding domain controller FQDN. Once saved it worked like a charm
Informed the customer to get in touch with his internal DNS team to rectify the PTR record for the DC accordingly.
Hope this article was helpful. Watch out for more.