VMware Cloud Community
HobertB
Contributor
Contributor

vCenter web Client 5.5 fails to log in using Active Directory

I installed vCenter Web Client on one host and Active Directory(Windows 2008 R2) on another host. I was able to add the identity source successfully without any errors. However, when I log in I get the following exception on the web client:

"The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source."

The vmware-sts-idmd logs show the follow:

2014-01-30 10:08:07,071 INFO   [IdentityManager] Authentication failed for user [administrator@xxx.nn.nn.nn] in tenant [vsphere.local] in [1] milliseconds

2014-01-30 10:08:14,996 INFO   [IdentityManager] Authentication succeeded for user [administrator@xxxxxxx] in tenant [vsphere.local] in [18] milliseconds

2014-01-30 10:08:15,161 WARN   [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 10

2014-01-30 10:08:15,162 ERROR  [IdentityManager] Failed to get attributes for principal [administrator@xxxxxxx] in tenant [vsphere.local]

2014-01-30 10:08:15,162 ERROR  [ServerUtils] Exception 'com.vmware.identity.interop.ldap.ReferralLdapException: Referral

LDAP error [code: 10]'

com.vmware.identity.interop.ldap.ReferralLdapException: Referral

LDAP error [code: 10]

    at com.vmware.identity.interop.ldap.LdapErrorChecker$11.RaiseLdapError(LdapErrorChecker.java:172)

    at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)

    at com.vmware.identity.interop.ldap.WinLdapClientLibrary.CheckError(WinLdapClientLibrary.java:758)

    at com.vmware.identity.interop.ldap.WinLdapClientLibrary.ldap_search_s(WinLdapClientLibrary.java:433)

    at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:334)

    at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:331)

    at com.vmware.identity.interop.ldap.LdapConnection.execute(LdapConnection.java:65)

    at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:330)

    at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:299)

    at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getPrimaryGroupDN(LdapWithAdMappingsProvider.java:395)

    at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getAttributes(LdapWithAdMappingsProvider.java:270)

    at com.vmware.identity.idm.server.IdentityManager.getAttributeValues(IdentityManager.java:2631)

    at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

    at java.lang.reflect.Method.invoke(Unknown Source)

    at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)

    at sun.rmi.transport.Transport$1.run(Unknown Source)

    at sun.rmi.transport.Transport$1.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.rmi.transport.Transport.serviceCall(Unknown Source)

    at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)

    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)

    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

    at java.lang.Thread.run(Unknown Source)

Has anyone experienced this type of issue?

16 Replies
HobertB
Contributor
Contributor

bump...any help or direction is greatly appreciated

Reply
0 Kudos
f10
Expert
Expert

Hi,

I am not sure about what the snip indicates but I can suggest the following:

Change the AD identity source as default domain for SSO. Refer to section "Set the Default Domain for vCenter Single Sign-On" from vSphere 5.5 Documentation Center

Did you assign admin permissions to this AD user account that you are trying to log in? Refer to section "Assign Permissions in the vSphere Web Client" from the vSphere 5.5 Documentation Center.

-Arun

http://highoncloud.blogspot.in/

About VMware Virtualization on NetApp

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".
Reply
0 Kudos
terahertz
Contributor
Contributor

I am also having this problem. Setting the Default Domain doesn't help. Admin permissions are set.

Reply
0 Kudos
admin
Immortal
Immortal

How did you add the Active Directory to the SSO as Identity Source? Using Integrated method or over LDAP? Are there any additional identity sources added over LDAP?

How exactly did you give permissions to the user you are trying to log in with? To the user directly, to a group of the domain, to a local group where the domain user is a member of?

ns0:RequestFailed: Referral and ldap error 10 usually suggest some form of nesting which is unsupported in certain conditions. Also make sure you are running the latest version of Single Sign On as there have been bug fixes to rule out as much of the nesting issues as possible for now.

Reply
0 Kudos
terahertz
Contributor
Contributor

Both methods do not work. I am currently using LDAP. There are no other LDAP identity sources.

I gave permission to the user directly.

I am trying this with 5.5.0b, which is the latest version. In 5.1, everything works just fine. In 5.5 it gives the Referral error. I did a clean install of 5.5.0b and it doesn't work either.

Reply
0 Kudos
admin
Immortal
Immortal

Do you already have a case open with tech support?

Reply
0 Kudos
Madmax01
Expert
Expert

Hello,

i didn't made a "manual" install of 5.5  > only Upgrade. And theire i forced some Errors.   AD identity Source was added without Problems.

- Problem is that SSO only like to have AD Groups+ AD users direct granted to the vCenter.  So if you have a local Group where the AD users are theire > and you try using the local group > then the AD user are not working.

- Also i faced Problems without Netbios. i had to activate Netbios through upgrade.  So they changed something between shortname and fqdn in 5.5 Installation Process,....

PS: you could try out to remove the Local Identity Source if you don't need it > maybe solve the Problem

Best regards

Max

Reply
0 Kudos
stannum
Contributor
Contributor

After install vSphere 5.5 I've got the same issue with authenticating from AD identity sources:

The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.

And I found strange behavior - this happens only with Active Directory's that hosted on Windoze 2008 R2 controllers

On Identity sources of Windoze 2003 R2 AD all works fine in vCenter 4.1, 5.1 and 5.5,

So I'm have big Infrastructure with 3 different versions of vCenter servers and 3 different Active Directories (2 on Win2008R2 and 1 on Win2003R2)

Now I'm tesed all of theese with eachother:

Summary:

Active Directory          vCenter 4.1               v Center 5.1                   vCenter 5.5

                                 on Windoze 2k3    on Windoze 2k8R2         on Windoze 2k8R2

Windoze 2008 R2:             OK                              OK                                FAIL

Windoze 2003 R2              OK                              OK                                 OK

All of vCenters are fresh installed versions (mean not upgraded from any previous versions)

Reply
0 Kudos
stannum
Contributor
Contributor

I found the main cause of that error:

If authenticating user is member of group from another domain from one AD forest, and no matter if mutual trust between that domains.

For example,

domain.local is parent domain of child.domain.local, domain.local trusts to child.domain.local, and child.domain.local trusts to domain.local



CN=vmware-user,OU=Users,DC=domain,DC=local - user in domain.local

CN=childGroup,OU=Groups,DC=child,DC=domain,DC=local - group in child.domain.local

1.Now configure SSO to authenticate users from domain.local by adding domain.local as identity source in SSO Administration and add vmware-user@domain.local as vCenter User

Now we can login to vCenter Web client and Windows Client with vmware-user@domain.local and all works fine!


2. Because of trust, we can set  vmware-user as a member of trusted domain group childGroup

If we do so and vmware-user will be a member of childGroup of  child.domain.local domain and we try to relogin to vCneter  as vmware-user@domain.local we will get an error



The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.

This is a BUG and VMware must fix that, I hope Smiley Happy

stannum
Contributor
Contributor

Further investigations with VMware support technicians brought us to the solution:

In vSphere 5.5 there is 4 types of identity sources:

1. Active Directory (Windows Integrated Authentication)

2. Active Directory as LDAP-Server

3. Open LDAP

4. LocalOS

In 5.1 there was only one option for Actove Directory identity source simply  called "Active Directory"

So problem was solved by adding SSO-server to PARENT Active Directory domain - and all start working like in vSphere 5.1

Reply
0 Kudos
King_Robert
Hot Shot
Hot Shot

To resolve this issue, remove the existing Active Directory Identity Source, and recreate it with a Domain Alias.

To remove the existing Active Directory Identity Source, and recreate it with a Domain Alias:

  1. Log into the vSphere Web Client using the Admin@System-Domain (for 5.1) or administrator@vsphere.local credentials (for 5.5).
  2. Click Administration.
  3. Under Sign-On and Discovery, click Configuration.
  4. Click the Active Directory identity source.
  5. Under Actions, click Edit Identity Source.
  6. Make note of the information in the identity source.
  7. Click Cancel.
  8. Under Actions, click Delete Identity Source.
  9. Recreate the identity source using the short NETBIOS name in the Domain Alias field.
  10. Click Test Connection.
  11. Click OK.
f1refoxy
Contributor
Contributor

Hello,

we got a simmilar problem after upgrading from 5.1 to 5.5.

we've tried all the things mentioned above - nothing worked for us.
Our issue was that SSO seems to be working (browsing sso identity sources was possible) but login with a user from a AD-LDAP source wasn't possible.


Solution for us:

we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!

-> active directory as ldap server,
--> ldap://servername:3268

br

Gerald

adamjg
Hot Shot
Hot Shot

Solution for us:

we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!

-> active directory as ldap server,
--> ldap://servername:3268

I don't know how or why this works, but it works for us as well. Our Netbackup service account couldn't connect, and couldn't even login to the web page.  Every single other account worked just fine.  After I changed the identity sources to include the port number now the backup account can login.  I have no idea why.  At this point I don't care as long as it works.  Thanks for the info!

Adam

jimharle
Contributor
Contributor

I had been fighting SSO for hours, until I found this post about using port 3268. Now magically everything works.

Reply
0 Kudos
tiwana0009
Contributor
Contributor

Wow! that worked for me as well. Thanks f1refoxy

Reply
0 Kudos
VincentArriola
Contributor
Contributor

@f1refoxyf1refoxy: Thank you! A simple solution to an annoying problem that just randomly showed up. We were working one day and the next we were not.

Adding the LDAP port to the Server Address field fixed it!

Reply
0 Kudos