I installed vCenter Web Client on one host and Active Directory(Windows 2008 R2) on another host. I was able to add the identity source successfully without any errors. However, when I log in I get the following exception on the web client:
"The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source."
The vmware-sts-idmd logs show the follow:
2014-01-30 10:08:07,071 INFO [IdentityManager] Authentication failed for user [administrator@xxx.nn.nn.nn] in tenant [vsphere.local] in [1] milliseconds
2014-01-30 10:08:14,996 INFO [IdentityManager] Authentication succeeded for user [administrator@xxxxxxx] in tenant [vsphere.local] in [18] milliseconds
2014-01-30 10:08:15,161 WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 10
2014-01-30 10:08:15,162 ERROR [IdentityManager] Failed to get attributes for principal [administrator@xxxxxxx] in tenant [vsphere.local]
2014-01-30 10:08:15,162 ERROR [ServerUtils] Exception 'com.vmware.identity.interop.ldap.ReferralLdapException: Referral
LDAP error [code: 10]'
com.vmware.identity.interop.ldap.ReferralLdapException: Referral
LDAP error [code: 10]
at com.vmware.identity.interop.ldap.LdapErrorChecker$11.RaiseLdapError(LdapErrorChecker.java:172)
at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)
at com.vmware.identity.interop.ldap.WinLdapClientLibrary.CheckError(WinLdapClientLibrary.java:758)
at com.vmware.identity.interop.ldap.WinLdapClientLibrary.ldap_search_s(WinLdapClientLibrary.java:433)
at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:334)
at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:331)
at com.vmware.identity.interop.ldap.LdapConnection.execute(LdapConnection.java:65)
at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:330)
at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:299)
at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getPrimaryGroupDN(LdapWithAdMappingsProvider.java:395)
at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getAttributes(LdapWithAdMappingsProvider.java:270)
at com.vmware.identity.idm.server.IdentityManager.getAttributeValues(IdentityManager.java:2631)
at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Has anyone experienced this type of issue?
bump...any help or direction is greatly appreciated
Hi,
I am not sure about what the snip indicates but I can suggest the following:
Change the AD identity source as default domain for SSO. Refer to section "Set the Default Domain for vCenter Single Sign-On" from vSphere 5.5 Documentation Center
Did you assign admin permissions to this AD user account that you are trying to log in? Refer to section "Assign Permissions in the vSphere Web Client" from the vSphere 5.5 Documentation Center.
-Arun
http://highoncloud.blogspot.in/
About VMware Virtualization on NetApp
I am also having this problem. Setting the Default Domain doesn't help. Admin permissions are set.
How did you add the Active Directory to the SSO as Identity Source? Using Integrated method or over LDAP? Are there any additional identity sources added over LDAP?
How exactly did you give permissions to the user you are trying to log in with? To the user directly, to a group of the domain, to a local group where the domain user is a member of?
ns0:RequestFailed: Referral and ldap error 10 usually suggest some form of nesting which is unsupported in certain conditions. Also make sure you are running the latest version of Single Sign On as there have been bug fixes to rule out as much of the nesting issues as possible for now.
Both methods do not work. I am currently using LDAP. There are no other LDAP identity sources.
I gave permission to the user directly.
I am trying this with 5.5.0b, which is the latest version. In 5.1, everything works just fine. In 5.5 it gives the Referral error. I did a clean install of 5.5.0b and it doesn't work either.
Do you already have a case open with tech support?
Hello,
i didn't made a "manual" install of 5.5 > only Upgrade. And theire i forced some Errors. AD identity Source was added without Problems.
- Problem is that SSO only like to have AD Groups+ AD users direct granted to the vCenter. So if you have a local Group where the AD users are theire > and you try using the local group > then the AD user are not working.
- Also i faced Problems without Netbios. i had to activate Netbios through upgrade. So they changed something between shortname and fqdn in 5.5 Installation Process,....
PS: you could try out to remove the Local Identity Source if you don't need it > maybe solve the Problem
Best regards
Max
After install vSphere 5.5 I've got the same issue with authenticating from AD identity sources:
The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.
And I found strange behavior - this happens only with Active Directory's that hosted on Windoze 2008 R2 controllers
On Identity sources of Windoze 2003 R2 AD all works fine in vCenter 4.1, 5.1 and 5.5,
So I'm have big Infrastructure with 3 different versions of vCenter servers and 3 different Active Directories (2 on Win2008R2 and 1 on Win2003R2)
Now I'm tesed all of theese with eachother:
Summary:
Active Directory vCenter 4.1 v Center 5.1 vCenter 5.5
on Windoze 2k3 on Windoze 2k8R2 on Windoze 2k8R2
Windoze 2008 R2: OK OK FAIL
Windoze 2003 R2 OK OK OK
All of vCenters are fresh installed versions (mean not upgraded from any previous versions)
I found the main cause of that error:
If authenticating user is member of group from another domain from one AD forest, and no matter if mutual trust between that domains.
For example,
domain.local is parent domain of child.domain.local, domain.local trusts to child.domain.local, and child.domain.local trusts to domain.local
CN=vmware-user,OU=Users,DC=domain,DC=local - user in domain.local
CN=childGroup,OU=Groups,DC=child,DC=domain,DC=local - group in child.domain.local
1.Now configure SSO to authenticate users from domain.local by adding domain.local as identity source in SSO Administration and add vmware-user@domain.local as vCenter User
Now we can login to vCenter Web client and Windows Client with vmware-user@domain.local and all works fine!
2. Because of trust, we can set vmware-user as a member of trusted domain group childGroup
If we do so and vmware-user will be a member of childGroup of child.domain.local domain and we try to relogin to vCneter as vmware-user@domain.local we will get an error
The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.
This is a BUG and VMware must fix that, I hope
Further investigations with VMware support technicians brought us to the solution:
In vSphere 5.5 there is 4 types of identity sources:
1. Active Directory (Windows Integrated Authentication)
2. Active Directory as LDAP-Server
3. Open LDAP
4. LocalOS
In 5.1 there was only one option for Actove Directory identity source simply called "Active Directory"
So problem was solved by adding SSO-server to PARENT Active Directory domain - and all start working like in vSphere 5.1
To resolve this issue, remove the existing Active Directory Identity Source, and recreate it with a Domain Alias.
To remove the existing Active Directory Identity Source, and recreate it with a Domain Alias:
Hello,
we got a simmilar problem after upgrading from 5.1 to 5.5.
we've tried all the things mentioned above - nothing worked for us.
Our issue was that SSO seems to be working (browsing sso identity sources was possible) but login with a user from a AD-LDAP source wasn't possible.
Solution for us:
we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!
-> active directory as ldap server,
--> ldap://servername:3268
br
Gerald
Solution for us:
we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!
-> active directory as ldap server,
--> ldap://servername:3268
I don't know how or why this works, but it works for us as well. Our Netbackup service account couldn't connect, and couldn't even login to the web page. Every single other account worked just fine. After I changed the identity sources to include the port number now the backup account can login. I have no idea why. At this point I don't care as long as it works. Thanks for the info!
Adam
I had been fighting SSO for hours, until I found this post about using port 3268. Now magically everything works.
Wow! that worked for me as well. Thanks f1refoxy
@f1refoxyf1refoxy: Thank you! A simple solution to an annoying problem that just randomly showed up. We were working one day and the next we were not.
Adding the LDAP port to the Server Address field fixed it!