Short tip: Configuration debugging of Active Directory authentification under vCSA 5.5

If you're having issues with configuring Active Directory authentification in VMware vCenter Server Appliance (vCSA) 5.5 you might want to have a look at the following log file: /var/log/vmware/vpx/vpxd_cfg.log

Ideally access this file using tail -f before saving the Active Directory configuration to see error messages in real-time.

I entered the following configuration values in my test environment and couldn't find any errors:

• Active Directory enabled
• Domain: D2.LOCALDOMAIN.LOC
• Administrator user: D1\admin-cstan
• Administrator password: ...

The administrative user was part of another domain - that's why I prepended the other domain name. Appropriate authorization rules have already been defined in Active Directory.

Looking at the log file helped finding the reason for this issue:

1YYYY-MM-DD HH:MM:SS 15505: [15502]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' 'D1admin-cstan' CENSORED 'd2.localdomain.loc'
2YYYY-MM-DD HH:MM:SS 15505: Testing domain (d2.localdomain.loc)
3YYYY-MM-DD HH:MM:SS 15505: Enabling active directory: 'd2.localdomain.loc' 'd1admin-cstan'
4The username 'd1admin-cstan@d2.localdomain.loc' is invalid because it contains a backslash. Please use UPN syntax (user@domain.com) if you wish to use a username from a different domain.

The user name format was wrong - I should have chosen admin-cstan@d1 instead of D1\admin-cstan. After correcting the username the configuration was working fine. 🙂

It would be great to see this error message also in the web interface - currently, only a message telling that the configuration can't be saved is displayed. 😉