vCAC 6 System Exception vsphere.local Identity Stores


While the workaround below works well, I did find I ended up with couple other problems with AD user identification.  Not sure if that’s another bug or not, but after the workaround, I was able to successfully log in to AD, so authentication was working, the user ID was not properly identified somehow and some permissions and access levels were not recognized.  The original issue of the default tenant not working is apparently a known issue and should be resolved in SP1.

********END UPDATE********


My 2nd tip of the day is for when it comes time to configure your default tenant vsphere.local after you have set up your vCAC appliance and your IaaS services.

First, make sure you login as administrator@vsphere.local.  This is a bit annoying, as there still exists admin@vsphere.local, which is what was perfectly fine to use when you were setting up the vCAC/IaaS components, and even your domain credentials as they flow through the SSO server, but when you want to do something other than simply login and see a nice pretty empty page, use administrator@vsphere.local.

Once you’re logged in with that account, you’ll select the vsphere.lcoal default tenant under the, you guessed it, Tenants section of the Administration menu.  In order to use anything other than that default administrator@vsphere.local account, you’ll need to set up your Identity Stores, and then add in the users/groups you want to grant the Tenant and the Infrastructure Administrator roles.  After selecting the Identity Stores tab, this is where I first encountered a big System Exception yellow warning box, and had nothing in my list.  You can close that warning and continue, but trying to manually add your domains, whether you select Native or regular Active Directory types, gave me a failure to successfully connect to the domain.

I found the only way to make this work for me was to go back to SSO, which happily accepted my domain credentials, and check the Identity Sources (Don’t you love consistency in naming?) under the Single Sign On Configuration section.  The domain I was trying to add to vCAC’s tenant config was there, but it was configured as an ‘Active Directory (Integrated Windows Authentication)’ source type, as opposed to ‘Active Directory as a LDAP Server’.  Now, I’m not quite sure why that made a difference, but I definitely noticed some type casting of identity object types being attempted in the vCAC app server error logs when I tried to set up my Identity Store, which technically should have been inherited from SSO.  So, to move on, I removed the existing Identity Source from SSO, which should have been automatically added when you setup SSO initially, and replaced that Identity Source with a manual configuration of my domain as the secondary type I mentioned earlier.  Once that was completed, logging back into vCAC and editing the vsphere.local default tenant’s Identity Stores tab, I noticed the two domains I had configured in SSO magically appear.  Further, I could go into the Administrators tab, and the search correctly searched my Stores for the user or group I was typing in.

I made sure to go back and test that fix by removing my now working Identity Source in SSO, and replacing it with the original Integrated version, and vCAC now showed the Identity Store, but trying to configure/edit those settings in the Identity Stores section yielded blank fields, and trying to add users/group in the Administrators tab yielded no results.

So, for my purposes, I will keep my ‘Active Directory as a LDAP Server’ Identity Source type in SSO, so I can correctly work with my AD Identity Store in vCAC.



5 comments for “vCAC 6 System Exception vsphere.local Identity Stores

  1. March 6, 2014 at 10:01 pm

    Thanks.. this saved my bacon today..

  2. March 26, 2014 at 3:22 pm

    thanks, this fixed the problem with the default vsphere.local, but I want to use the same domain/ad for a second tenant. When I add the tenant identity store I get the error:

    Cannot test the connection to the identity store.

    Any ideas?

    • KjB
      March 26, 2014 at 5:44 pm

      See my next post ( and make sure you are at Update 1 for vCAC 6. Go into your SSO configuration and make sure that is setup correctly. You should be able to connect to the same source.

      • March 26, 2014 at 6:53 pm

        thanks but not exactly my issue. I installed 6.0.1 natively, not a patch. I’m also using the embedded sso that is part of the vcenter 5.5 appliance, not a separate vm. I had the same issue as your post above and by deleting and manually adding the AD info in sso fixed the problem for the default. I was also able to put the AD info back to AD (integrated) and it still works. However, when I try and create a second tenant, and define the new identity store, it fails with “Cannot test the connection to the identity store.” I can’t seem to get past this to get a second tenant created. The default tenant seems fine. I can search and add administrators, then log in as a tenant admin. I just cant create a second tenant. Any ideas would be appreciated.


Comments are closed.