VMWare VCenter No Longer Shows Any Servers After Upgrading to 5.5

So I took the leap this week and upgraded our VMWare VCenter install from 5.1 to 5.5 and surprisingly everything seemed to go ok, the install went ok with no errors and logging in to the updated Web Client logged in ok, that is until I clicked into the VMWare VCenter menu and realised that it was empty and wasn’t showing any of our servers or anything.

After a bit of panicking I remembered that during the upgrade process the new version of SSO Manager created a new user called administrator@vsphere.local so I tried logging as this user and thankfully all my servers were back and showing as normal so all the data was there, I just wasn’t able to access it with my AD account for some reason (which I never had any problems doing back on 5.1).

After speaking to a few awesome guys over on the VMWare subreddit I had checked that our domain admins AD group was part of the Administrators group in the SSO configuration pages and that the Administrators group had the Admin permissions in VMWare VCenter so this seemed like it should work but still wouldn’t.

Next we tried adding in the Domain Admins group directly to VCenter and this is where we started to get some luck as it started working again so I decided to dig a bit more so after a few hours of playing around it seems that as of VSphere 5.5 you cannot have non-local users as members of a local group, the problem is that there is nothing in the web client that will tell you this or even stop you from doing it, you only find out when you log in and realise you don’t have any of the permissions you just gave yourself!

Apparently though this seems to be by design rather than a bug which seems odd but just after I managed to fix my install someone on reddit found this blog post which describes the problem I had completely:

http://blogs.vmware.com/vsphere/2013/09/vcenter-single-sign-on-5-5-not-recognizing-nested-active-directory-groups.html

And links to the following VMWare KB article which helpfully confirms that this is by design and is not infact a bug

http://kb.vmware.com/kb/2059528

Hopefully in a future update VMWare can add a bit of checking into the SSO part of the web client and provide some feedback and error messages when this problem occurs (and when someone tries to add a non-local user/group to a local group).

Nick

Im a Sys-Admin for a growing UK company working down on the sunny South Coast of England, I love all things techie, especially Exchange and Virtualisation stuff. When not tinkering I can normally be found playing online games such as Planetside 2, Dayz and Battlefield 4.