vmware AD two way trust question

[madrebel]

Trying to solve a problem for a client and can't seem to get this working.

domain1
2way trust
domain2

vcenter server joined to domain 1

permissions for user in domain2 added to an object in vcenter.

attempt to log in from domain2\testuser and get error about incorrect user or bad password.

domain2\testuser can RDP into the vcenter box and other domain1 devices.

What am I missing?

 

[Wrench00]

Did you setup ESX Admin Group in the AD, add the domain 2 admins to that group.
Set the permissions inside Vcenter to feed from ESX Admin group.

 

[madrebel]

Hmm, that can work and is manageable however not ideal.

What i would prefer is to set permissions based on sec groups in domain2. then the client can add/remove users to those sec groups without my intervention. i just want to lock down what those groups can do on the hardware/folders/etc.

 

[defuseme2k]

I'm curious, but its probably a misguided question: what are you typing into the user name field of the vSphere Client login box? I am not sure you're using 5.1... so I'll assume not.

Perhaps domain\user should be typed into the dialog box. Normally you don't have to specify the domain, but in this case you might have to.

 

[madrebel]

done that, tried the fqdn of the domain too.

idk going to ticket it with vmware tomorrow and see what they say.

 

[bmh.01]

Which version of vCenter?

 

[madrebel]

5.0u1b

 

[madrebel]

got it working ... all i can figure is vcenter was joined to domain1 before the trust was setup and was causing problems. removed and rejoined domain1 from the vcenter server and all is good in the network neighborhood.

 

[lopoetve]

I've seen that happen once before, only it was the opposite - VC got knackered because someone removed a trust after it was added. It's probably actually an issue within the LWDS services on windows, more than AD, as VC really doesn't track/care/know about domains, only how to pass a string to ad and say "this auth plz?"