Short tip: Configuration debugging of Active Directory authentification under vCSA 5.5

If you’re having issues with configuring Active Directory authentification in VMware vCenter Server Appliance (vCSA) 5.5 you might want to have a look at the following log file: /var/log/vmware/vpx/vpxd_cfg.log

Ideally access this file using tail -f before saving the Active Directory configuration to see error messages in real-time.

I entered the following configuration values in my test environment and couldn’t find any errors:

  • [x] Active Directory enabled
  • Domain: D2.LOCALDOMAIN.LOC
  • Administrator user: D1admin-cstan
  • Administrator password: …

The administrative user was part of another domain – that’s why I prepended the other domain name. Appropriate authorization rules have already been defined in Active Directory.

Looking at the log file helped finding the reason for this issue:

YYYY-MM-DD HH:MM:SS 15505: [15502]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' 'D1admin-cstan' CENSORED 'd2.localdomain.loc'
YYYY-MM-DD HH:MM:SS 15505: Testing domain (d2.localdomain.loc)
YYYY-MM-DD HH:MM:SS 15505: Enabling active directory: 'd2.localdomain.loc' 'd1admin-cstan'
The username 'd1admin-cstan@d2.localdomain.loc' is invalid because it contains a backslash. Please use UPN syntax (user@domain.com) if you wish to use a username from a different domain.

The user name format was wrong – I should have chosen admin-cstan@d1 instead of D1admin-cstan. After correcting the username the configuration was working fine. 🙂

It would be great to see this error message also in the web interface – currently, only a message telling that the configuration can’t be saved is displayed. 😉

Sharing is caring

Leave a Reply