Unable to Access VMware vSphere Client Using Domain ID

In normal implementation, it is always a best practice to provide permission per group, rather than per individual ID. Simple reason is, it is easy to administer and manage. Therefore, it was what I did in one of my vCenter implementation, but I could not make it work. It just did not allow me to login using my Domain ID (which configured as part of Local Administrators members in vCenter server), although local ID (part of Local Administrators members as well) worked as expected.

Issues :
Error while connecting to vCenter Server using VMware vSphere Client. Error is :

Error Connecting

The vSphere Client could not connect to 

"vCenter Server Name"

You do not have permission to login to the server :

"vCenter Server Name"

 

Troubleshooting 

1.  Assigned appropriate domain ID (MyDomain\DomainAdminID) to a Domain Group (MyDomain\Domain Admins)
2.  Assigned that Domain Group to Local Administrators in vCenter server
3. (Double kill!) Assigned that Domain ID (MyDomain\DomainAdminID) to Local Administrators in vCenter server.
   
   
   
4. Configured Local Administrators with Full Admin Role in vCenter Permissions. Note that above Domain ID was not configured here. Local ID (.\ctxadmin) that will be used to test also not be configured here.
   
   
   
5. Tried to access vCenter using that domain ID, error prompted
   
   
   
   
   
6. Tried to access vCenter using local ID, successful
   
   
   
    
7.  Session with local ID.
   

Resolution :

It seems that starting from vSphere 5.5, configuring domain IDs/groups to local groups will cause the issue. Based on VMware KB  : 

Resolution

 This is an expected behavior.

To resolve this issue, give explicit permissions to Users or Groups from their respective Identity Sources. For example:

• Only populate Local OS groups with Local OS users or groups
• Only populate Active Directory groups with Active Directory users or groups

In order to do so :

1.  Add User ID / group to vCenter. Choose the domain, search the ID / group, and add them accordingly.
   
   
   
   
2.  Able to access, no error
   
   
   
   
3.  Session active with AD user ID.
   

Reference 

• http://blogs.vmware.com/vsphere/2013/09/vcenter-single-sign-on-5-5-not-recognizing-nested-active-directory-groups.html
• http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2059528

Read More

How To Configure Pass-Through on Citrix Web Interface

I received a request by my clients to enable pass-through to their Citrix Web Interface site. Not more than a few minutes after completion, they made a few complaints, saying that they needed to supply their credentials every time they launched published applications, which defeats the Single Sign-On (SSO) purposes. After a few minutes of troubleshooting, I realized that, in order to enable pass-through, there are more steps need to be taken, not simply enabling the feature.

Description :

Properly enabling Pass-Through, so users wot have to supply credentials every time they launched Citrix published applications, as below :

How To Do :

1.  Uninstall current installed Citrix Receiver
   
   
   
   
   
   
   
   
   
   
2. Once un-installation completed, open command prompt, and type CMD
   
   
   
   
3.  Browse to the installer location, and run command ( CitrixReceiver.exe /includeSSON )to install Receiver with SSON enabled
   
   
   
4. Proceed with installation
   
   
   
   
   
   
5. When you can see this in Programs and Features, it means the installation is already completed.
   
   
   
    
6. Go to start > run and type GPEDIT.MSC
   
   
   
   
7.  Add new ADM template for this purpose, by choosing Add/Remove Templates...
   
   
   
   
   
8. Press Add.
   
   
   
    
9. Add the template which can be located at this path ( %SystemDrive%\Program Files (x86)\ICA Client\Configuration ). The file name is icaclient.adm
   
   
   
   
   
10.  Template added. Press Close
    
    
    
    
      
11.  Browse to this path ( Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication ) 
    
    
    
    
    
12. Right click at setting ( Local user and password ), and choose Edit
    
    
    
    
13. Enable the setting
    
    
    
    
    
    
    
14. Enable the first 2 options ( Enable pass-through authentication & Allow pass-trough authentication for all ICA connection)
    
    
    
    
    
15.  This is the outcome, press Apply and OK
    
    
    
    
    
    
16.  Reboot the machine (or use GPUPDATE /FORCE) , once up access your CWI.
    
    
    
    
    
    
    
    

p/s : if it happened that users still unable to utilizing SSO, please refer to here in order to use Citrix Receiver Clean Up Utility.

Reference :

• http://support.citrix.com/article/CTX133982

Read More