There is an authentication issue with vSphere Single Sign-On version 5.5 when running both the Active Directory (AD) domain control and the vCenter Single Sign-On Server on Windows Server 2012.
when your AD domain controller and your vCenter Single Sign-On are both running on Windows Server 2012, the single sign-on is unable to authenticate AD users. You get a “Cannot parse group information” error as shown in figure below.
Symptoms
- Users cannot authenticate with a Vcenter Single Sign-On (SSO) 5.5 system that is installed on Windows Server 2012 when this system is joined to an Active Directory domain controller also running on Windows Server 2012.
- Users receive this error message when trying to log in through the vSphere Web Client:
Cannot Parse Group Information
Reason of this problem
- This issue occurs only in environments where BOTH of these conditions apply:
- vCenter SSO 5.5 is running on Windows Server 2012, and
- vCenter SSO 5.5 joined an Active Directory Domain with a Domain Controller that is running on Windows Server 2012
Resolution
This is a known issue affecting vCenter Server 5.5.
To resolve this issue, replace the %WINDIR%\System32\idm.dll file on all systems running Vcenter SSO 5.5 with a idm.dll file which you can download from http://sdrv.ms/1a6WER8
Note: The attached idm.dll file is provided by VMware.
To replace the idm.dll file on the Windows Server 2012 running SSO 5.5:
- login as an administrator.
- Stop the VMware Identity Management Service on the vCenter SSO server. This also stops the VMware Secure Token Service.
- Back up the existing idm.dll by copying %WINDIR%\System32\idm.dll to %WINDIR%\System32\idm.dll.orig.
- Download the idm_patch09252013.zip attachment that contains the replacement idm.dll file and paste it in %WINDIR%\System32\.
Start the VMware Secure Token Service on the vCenter SSO server. After replacing the dll and restarting services, the initial AD login may take longer than normal to authenticate.