VMware Single Sign-On - "Warning 29155: The identity source was not identified automatically"

VMware vSphere 5.1 provides Single Sign-On throughout a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 3.1 / Samba 4 instead of Microsoft Active Directory.

Prerequisites

Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:

• 1 UCS 3.1 Domain Controller Master with Samba 4
• 1 Windows Server, member of the UCS 3.1/Samba 4 domain with the following VMware vSphere 5.1 components installed:
          VMware vCenter Single Sign On
          VMware vCenter Inventory Service
          VMware vCenter Server
          VMware vSphere Client
          VMware vSphere Web Client
• 1 VMware ESXi Hypervisor Host [optional, but reasonable]

 

Known Issues

During the installation of VMware vCenter on the Windows Server the following warning might appear:
Warning 29155: The identity source was not identified automatically.
This warning can be ignored. The identity source will be added manually after the installation finished.

 

Configuration of VMware vCenter Single Sign-On

Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).
Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.


Note: You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.


Go to Administration → Sign-On and Discovery → Configuration → Identity Sources and add a new "Identity Source" (+).


        




A new window will open up. Select Active Directory and enter the desired information:

• a name for this "Identity Source" (e.g. UCS3-SAMBA4)
• primary ldap-URL consisting of DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389)
• Optional: secondary LDAP Server, recommended when there's a DC Backup
• Domain name (e.g. example.com)
• Domain alias, which is the NetBIOS name of the domain (e.g. EXAMPLE)
• Authentication Type: Password
• Username: PrivilegedUser@example.com (domain user with right to read LDAP)
• Password of the above user

Change to Administration → Access → SSO Users and Groups → Open Groups → Add a new group (e.g. VMware Domain Admins) → Select this group and click Add Principals
          


A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. Domain Admins), then click Add and OK.




The chosen users/groups are now able to log in with their credentials:

• username@example.com
• domain-user password

While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".


 
Note: If a user password is changed or the user is disabled/deleted in your LDAP, this will not affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.

Note: Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → your vCenter server → Manage → Permissions → Add permission. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.