Unable to list users for the selected domain and/or authenticate from Active Directory users into vSphere SSO domain after adding identity source

After adding identity source, you are unable to list users for the selected domain and/or unable to authenticate Active Directory users into vSphere SSO domain.

Some customer’s environment have complex DNS configurations. In some cases, forward and reverse DNS are not controlled by the same DNS infrastructures.  In these rare cases, two situations can arise that can have an impact on VCSA 6.0 and above versions to successfully leverage resources from Active Directory for use with Integrated Windows Authentication (IWA) identity source.

1. Forward and reverse DNS lookups do not match.
2. Reverse DNS response is not authoritative.

To resolve this issue:
Log in to the Platform Services Controller Appliance as root and activate the bash shell.

  1. Edit the /etc/krb5.conf file.
  2. Add “rdns = false” entry in the libdefaults section.

     Note: Please note the indentation here, r has to be below l, line number does not matter.

               This is important and must be made.

  1. Restart likewise service or restart the appliance.

/opt/likewise/bin/lwsm restart lwreg


Leave a Reply

Your email address will not be published. Required fields are marked *