Active Directory tenant identity sources & vCloud Application Director 6.0.1

Recently, I encountered an issue while trying to add a cloud provider in vCloud Application Director 6.0.1. It turns out that, depending on the vCloud Automation Center identity source, you may need to capitalize the domain name in the user’s UPN. (See this post about attempting to add a cloud provider with a down-level username vs. a UPN.)

If the vCAC tenant’s identity source is Active Directory (not Native Active Directory), you can login using the username format of username@fqdn-domain. If the identity source is Native Active Directory, you must use the username format of username@FQDN-DOMAIN. So, damian@lab.dns vs. damian@LAB.DNS. As you can see below, the SAML response returned from vCenter SSO has the domain name capitalized when using Native Active Directory, and not capitalized when using Active Directory.

This only happens when using the default vsphere.local tenant in vCloud Automation Center, as additional tenants can only use Open LDAP or Active Directory.

Adding a cloud provider using Active Directory identity source

Log from vCenter 5.5.0U1a’s SSO vmware-identity-sts.log, located at /var/log/vmware/sso:

TRACE com.vmware.identity.sts.auth.impl.UNTAuthenticator] Starting to authenticate principal: damian.karlson@lab.dns
DEBUG com.vmware.identity.sts.auth.impl.UNTAuthenticator] Authenticated principal: {Name: damian.karlson, Domain: lab.dns} at time: Thu Jun 26 16:50:57 UTC 2014
DEBUG com.vmware.identity.sts.impl.STSImpl] Authenticated principal: {Name: damian.karlson, Domain: lab.dns} at time: Thu Jun 26 16:50:57 UTC 2014
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] 5 attributes retrieved for {Name: damian.karlson, Domain: lab.dns}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=givenName, value=[Damian]] retrieved for {Name: damian.karlson, Domain: lab.dns}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://rsa.com/schemas/attr-names/2009/01/GroupIdentity, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Groups, value=[lab.dns\Domain Admins, lab.dns\vCenter Admins, lab.dns\Domain Users, lab.dns\Denied RODC Password Replication Group, vsphere.local\Administrators, vsphere.local\Everyone]] retrieved for {Name: damian.karlson, Domain: lab.dns}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=userPrincipalName, value=[damian.karlson@lab.dns]] retrieved for {Name: damian.karlson, Domain: lab.dns}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=surname, value=[Karlson]] retrieved for {Name: damian.karlson, Domain: lab.dns}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: damian.karlson, Domain: lab.dns}

XML SAML response snipped farther down in the log:

<saml2:Subject>
	<saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">damian.karlson@lab.dns</saml2:NameID>
	<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
		<saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType">
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>snipped</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</saml2:SubjectConfirmationData>
	</saml2:SubjectConfirmation>
</saml2:Subject>

Log from vCloud Application Director’s catalina.out, located at /home/darwin/tcserver/darwin/logs/catalina.out:

INFO com.vmware.darwin.service.catalog.CloudProviderHelper - Logging in cloud url=https://iaas01.lab.dns with user=damian.karlson@lab.dns
INFO com.vmware.darwin.flow.engine.CloudServiceConnectionImpl - Generating SAML for user='damian.karlson@lab.dns' 
INFO com.vmware.darwin.cal.api.CALSessionFactory - Found cloud driver: type = vcac6_0 class = com.vmware.darwin.cal.driver.vcac6_0.VCACBackCloudDriver
INFO com.vmware.darwin.cal.driver.vcac6_0.VCACHelper - VCACCloudDriver instantiating...
INFO com.vmware.darwin.cal.driver.vcac6_0.VCACHelper - VCACCloudDriver instantiated successfully!

Adding a cloud provider using Native Active Directory identity source

Log from vCenter 5.5.0U1a’s SSO vmware-identity-sts.log:

TRACE com.vmware.identity.sts.auth.impl.UNTAuthenticator] Starting to authenticate principal: damian.karlson@lab.dns
DEBUG com.vmware.identity.sts.auth.impl.UNTAuthenticator] Authenticated principal: {Name: damian.karlson, Domain: LAB.DNS} at time: Thu Jun 26 18:53:22 UTC 2014
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] 5 attributes retrieved for {Name: damian.karlson, Domain: LAB.DNS}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=givenName, value=null] retrieved for {Name: damian.karlson, Domain: LAB.DNS}
com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=surname, value=null] retrieved for {Name: damian.karlson, Domain: LAB.DNS}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: damian.karlson, Domain: LAB.DNS}
com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://rsa.com/schemas/attr-names/2009/01/GroupIdentity, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Groups, value=[lab.dns\Domain Users, lab.dns\vCenter Admins, lab.dns\Domain Admins, lab.dns\Denied RODC Password Replication Group, vsphere.local\Administrators, vsphere.local\Everyone]] retrieved for {Name: damian.karlson, Domain: LAB.DNS}
TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=userPrincipalName, value=[damian.karlson@LAB.DNS]] retrieved for {Name: damian.karlson, Domain: LAB.DNS}

XML SAML response snipped farther down in the log:

<saml2:Subject>
	<saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">damian.karlson@LAB.DNS</saml2:NameID>
	<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
		<saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType">
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>snipped</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</saml2:SubjectConfirmationData>
	</saml2:SubjectConfirmation>
</saml2:Subject>

Log from vCloud Application Director’s catalina.out:

INFO com.vmware.darwin.service.catalog.CloudProviderHelper - Logging in cloud url=https://iaas01.lab.dns with user=damian.karlson@lab.dns
INFO com.vmware.darwin.flow.engine.CloudServiceConnectionImpl - Generating SAML for user='damian.karlson@lab.dns' 
ERROR com.vmware.darwin.flow.engine.CloudServiceConnectionImpl - Error occured while generating SamlToken for the user=damian.karlson@lab.dns
com.vmware.darwin.csp.exception.CspException: Use damian.karlson@LAB.DNS for Username field instead of damian.karlson@lab.dns

Environment:

  • vCloud Application Director 6.0.1.0 Build 1571033
  • vCloud Automation Center 6.0.1 Build: 1571033, using vCenter’s SSO
  • vCenter Server Appliance 5.5.0.10100 Build 1750781

Trackbacks

  1. […] and add the CentOS 6.3 template (blueprint). Note: If you get a credentials error, see this post about case sensitivity depending on the type of tenant identity source you’re […]

Speak Your Mind

*