Knowledge Base
KB-VIT0007 - AD Integration issues with vCenter 6.0

Problem: 
Unable to assign permissions to users or groups in vCenter after configuring SSO to use Active Directory (Integrated Windows Authentication) ​as an Identity Source.
  
Attempting to browse and add users to the vCenter Server permissions fails with the error: Cannot load the users for the selected domain











 
In the /var/log/vmware/sso/vmware-sts-idmd.log file on the Platform Services Controller, you see:
 
Failed to get non-GC connection to domain in retry




 

Cause:
Per VMware KB2127213  - "This issue occurs because the Likewise Kerberos stack requires all DNS servers to be configured with the Reverse Lookup Zone and that all Active Directory Domain Controller (AD DC) Pointer (PTR) records are available. The Likewise Kerberos stack in the Appliances use both Forward and Reverse Name Lookup to canonically organize hostnames for use in service principal names."

Resolution:

You must ensure that all DNS servers have the Reverse Lookup Zone configured as well as Active Directory Domain Controller (AD DC) Pointer (PTR) records present.

Checking Active Directory Trust Enumeration:






View a list of domain controllers that are not accessible from the Appliance:

grep "cannot establish connection with uri:" /var/log/vmware/sso/vmware-sts-idmd.log | cut -d'[' -f4 | uniq
The output shows all 4 domain controllers as not accessible:










Checking Active Directory Domain Controller DNS Resolution:












Reverse Lookup:











The evidence we have gathered to this point tells us that the the Domain Controllers cannot be reached, but we're unsure why. The only clue is that DC04 has fewer DNS entries than the others. This ended up being the smoking gun. Added the missing entries to DNS manually and tried again and it worked as it should. 











Applies to:
VMware vCenter 6.0