5 Replies Latest reply on May 3, 2015 4:38 PM by theclintjones

    Can't login with Orchestrator Client

    blazilla Enthusiast
    vExpert

      Hi everybody,

       

      I'm using a vCO appliance running version 5.5.2.1 build 2179237 in my lab. This appliance uses SSO for authentication. When I try to login with a user from my Active Directory Domain, I get the message that the password or the username are invalid. At the same time this is logged by the vCO appliance:

       

      INFO  {} [SamlTokenImpl] SAML token for SubjectNameId [value=Administrator@LAB.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element

      INFO  {} [SamlTokenImpl] SAML token for SubjectNameId [value=Administrator@LAB.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element

      INFO  {} [SecurityTokenServiceImpl] Successfully acquired token for user: Administrator@lab.local

      INFO  {} [SecurityTokenServiceImpl$RequestResponseProcessor] Failed trying to retrieve token: ns0:InvalidRequest: Access not authorized!

      ERROR {} [VcoFactoryFacade] Unable to login (Ex: javax.security.auth.login.LoginException: SSO server error)

       

      The user account "Administrator@lab.local" is member of the group "Lab-vCO-Admins", which is configured as vCO admin group. When I use the same credentials on the VMware vCenter Orchestrator Configuration Test Login page, the authentication is successful. To complete the matter let me clearly state, that everything was working BEFORE I updates the appliance from 5.5.1.0 build 1617225 to 5.5.2.1 build 2179237.The vCenter Server appliance is currently running version 5.5.0 Update 2.

       

      Thanks in advance.

      Best regards
      Patrick

      https://www.vcloudnine.de
        • 1. Re: Can't login with Orchestrator Client
          tschoergez Master
          User ModeratorsvExpertVMware Employees

          Hi Patrick,

          welcome to this part of the communities :-)

           

          Check out this: (from the release notes of vCO 5.5.2)

          • After upgrading vCenter Orchestrator to 5.5.2, you might not be able to log in to the Orchestrator client
            When you attempt to log in to the Orchestrator client after upgrading to vCenter Orchestrator 5.5.2, you might get an error message Invalid username/password.

            Workaround: Back up the %INSTALL_DIR%/apps/lib/bcprov-jdk15.jar file and delete it manually.

           

          Cheers,

          Joerg

          1 person found this helpful
          • 2. Re: Can't login with Orchestrator Client
            blazilla Enthusiast
            vExpert

            Hello Joerg,

             

            thanks for your reply. Unfortunately this wasn't the solution. I was able to solve the issue by unregister and re-register the Orchestrator with SSO, followed by a restart of the vCO configuration server and vCO Server service. Don't know why I didn't tried this earlier...

             

            Thanks for your help!

            Best regards
            Patrick

            https://www.vcloudnine.de
            • 3. Re: Can't login with Orchestrator Client
              schistad Enthusiast

              Ran into the same issue here after upgrading vRO from 5.5.1 to 5.5.2.1 - logins did not work until I re-registered vRO against our SSO server. I am using the vRO appliance.

              • 4. Re: Can't login with Orchestrator Client
                ivand Enthusiast
                VMware Employees

                Just want to clarify why this is happening. This is caused by change in the way Orchestrator is working with SSO. The reason for not working authentication is that orchestrator solution user is not part of ActAsUsers group in SSO after upgrade. This is new to 5.5.2. If you add Orchestrator solution user to that group through vSphere Web Client, you will be able to login to Orchestrator Client. After registering Orchestrator again to SSO newly created solution user was added as member of that group and thats why you are able to login

                • 5. Re: Can't login with Orchestrator Client
                  theclintjones Lurker

                  I had the same issue - resolved by the service restart and SSO un/reconfigure. Looks like a common issue in this implementation.