There are a number of reasons which may cause users to not be able to authenticate into VMware Identity Manager. One of them is their account may not yet exist within VMware Identity Manager - authorizing the account to utilize the unified catalog as a resource. Below are points to help ensure you don’t fall prey to the most common reasons.

1. Base DNs not defined/not properly defined - When base DNs for user synch are set too deep in the Sync Settings [within the User tab] or when just synching specific user accounts (e.g. "CN=John Doe,CN=Users,DC=Corp,DC=local"). It should be noted, base DNs do not necessarily have to be set, but it is a good practice to do so, as some accounts may not be synched otherwise. Use of filters on this one is recommended to remove any red synch errors.

2. Using Horizon to Synch Users - I’ve also seen this when not synching users directly but rather when using groups to sync users. Specifically, when using the "Sync nested group members" option (If this is not set, users will not be synched). It should be noted using this configuration solely for synching users is not the best option as it is more common that users will be missed than it is for users to "accidentally" gain access to something. Therefore it is recommended to use this setting in combination with defining base DNs to synch users from.

3. Horizon provisioning to synch users - This is similar to the second configuration option - in that when defining no users or groups to synch within Identity Manager Directory configurations and just using the "Perform Directory Sync" Horizon setting (this must be enabled) means any users who do not have a Horizon resource provisioned will not be synched into VMware Identity Manager. It should be noted using this configuration solely for synching users is not the best option as it is more common that users will be missed than it is for users to "accidentally" gain access to something. Therefore it is recommended to use this setting in combination with defining base DNs to synch users from.

4. Only Users who are Provisioned Resources are Synched - This is a feature of VMware Identity Manager 3.x defined to ensure initial A.D. synch did not overwhelm production Active Directory servers or take excessively long to synch users. Ultimately this means any user who does not have a VMware Identity Manager resource actually provisioned - whether it be SaaS, Web, ThinApp, Horizon, or Citrix - will not be synched into VMware Identity Manager until they have a resource assigned to them. To determine if this is the case, the easiest way to work around this is to utilize group assignment and define a resource to either an Active Directory group which the user is a member of AND that has also been synched into VMware Identity Manager OR use the VMware Identity Manager built-in ALL USERS group (a word of caution as doing so may add many more users to VMware Identity Manager). NOTE: Users who may have had a resource provisioned to them at one point but have all provisions removed will not automatically be removed from VMware Identity Manager.

After defining User DNs for synching users, and once synchronization is successful, you’ll likely start to notice sync alerts in red showing either within the test run or during the actual directory sync.

During the test run, these will show within a red box using black text and indicate why these are occurring (e.g. the account doesn’t have a valid email address, a valid first name or last name, etc.).

After the actual sync, within the Sync Log tab, sync alerts will show as red text within the Sync Alerts log, and again will state the reason why. It should be noted, a sync may have alerts regardless if it successfully completed the sync or not.

These sync alerts must be resolved in order for automated, periodic directory syncs to continue working. The reason why is, after accumulating 1000 sync alert errors, automated syncing will stop until directory settings are re-saved. Therefore, it is imperative to alleviate these sync alerts - and the only means for doing so is by using the user exclusions.

It is best practice to add in filters as broadly as possible in order to easily capture as many accounts which should not be synchronized into Workspace ONE Access as possible.. However, take care not to catch any valid accounts with your exclusions as this will result in REMOVING these user accounts from Workspace ONE Access and prevent them from logging in.

In the example above, all accounts in my test domain which should not be synchronized did not have a valid email address, therefore I set the "Mail…does not contain…’@‘" rule so that any account it found (i.e. a Windows admin or service account) which does not need user interactive login to Workspace ONE Access is prevented from synchronizing.