I found some problem with view along with one-way trust domains. It seem problem is occurred when I added the domain (client1.lab) to domain exclude. But, no error when I remove the domain from domain exclude list.
My setup is two domains; HQ.lab and client1.lab;
One-way Trust
HQ.lab -> client1.lab
(outgoing)-->--(incoming)
View Connection is member of HQ.lab.
Client1-VM-01 is member of client1.lab.
Here is the error log when I entered "vdmadmin -N -domains -exclude -domain CLIENT1 -add" for hide the domain on the Domain list in View client; So the user will need to enter UPN.
2015-09-19T02:31:22.841-05:00 INFO (09A0-08A0) <ajp-nio-8009-exec-1> [UserContext] (SESSION:95eb_***_0b70 user1@client1.lab) UPN Login: User with the UPN user1@client1.lab is the user CLIENT1\user1
2015-09-19T02:31:22.879-05:00 INFO (09A0-08A0) <ajp-nio-8009-exec-1> [AuthorizationFilter] (SESSION:95eb_***_0b70) User CLIENT1\user1 has successfully authenticated to VDM
2015-09-19T02:31:22.880-05:00 INFO (09A0-08A0) <ajp-nio-8009-exec-1> [PAEContext] (SESSION:95eb_***_0b70) Client supports idle session handling. User idle timeout set to: never. Desktop SSO: enabled. Application SSO: enabled.
2015-09-19T02:31:22.885-05:00 INFO (09A0-08A0) <ajp-nio-8009-exec-1> [Audit] (SESSION:95eb_***_0b70) BROKER_LOGON:USER:CLIENT1\user1;USERSID:S-1-5-21-1754858777-1199020022-3019864467-1106;USERDN:CN=S-1-5-21-1754858777-1199020022-3019864467-1106,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int;
2015-09-19T02:31:23.207-05:00 INFO (02C0-0A80) <Thread-33> [g] (Request2) User user1 connected to the Secure Gateway Server - session ID: 04A6_***_00B4
2015-09-19T02:31:24.619-05:00 ERROR (0B80-1640) <MessageFrameWorkDispatch> [ws_winauth] Failed to bind to LDAP://client1.lab (The user name or password is incorrect.) {SESSION:95eb_***_0b70}
2015-09-19T02:31:24.619-05:00 ERROR (0B80-1640) <MessageFrameWorkDispatch> [ws_winauth] Failed to bind for SID=S-1-5-21-1754858777-1199020022-3019864467-1106, domain name=client1.lab {SESSION:95eb_***_0b70}
2015-09-19T02:31:24.624-05:00 ERROR (09A0-1004) <ajp-nio-8009-exec-6> [PAEContext] (SESSION:95eb_***_0b70) Could not determine if user account (user1) is valid for logon from AD, assuming disabled.
Also, the user (user1) will see an error after selecting the pool (c1-pool). "Your user account is disabled". I checked the account and it is still enabled.
When I entered "vdmadmin -N -domains -exclude -domain CLIENT1 -remove" to expose the domain to Domain list in View client. The user can enter either UPN or enter username and select the domain.
It works perfectly. No error appears on the log.
Bizarre thing. I already tried bind LDAP with UPN and without. It is working fine. Any idea why it failed to LDAP bind when domain is on exclude? And it works fine while domain is not on exclude.
Is it bug?