VMware Cloud Community
travisgallegos
Contributor
Contributor
‎09-27-2017 05:37 PM
Jump to solution

Issues when using Windows Session Authentication

I recently upgraded my machine from Windows 8.1 to Windows 10 and now I am unable to use Windows Session Authentication when logging into vCenter.  I have downloaded the Enhanced Authentication Plugin and installed it.  I'm not sure if there is a policy that is affecting my browsers ability to load my credentials into the webpage or what else it could be. 

The Issue:

When I click the radio button for Windows Session Credentials, the webpage fills in my username (domain\username) and grays out the fields.  When I click Login,  I get an immediate  "Access Denied".  I know I have access because I have no issues on Windows 7 and 8.  Please Help!

Reply
0 Kudos
1 Solution

Accepted Solutions
Kiristo
Contributor
Contributor
‎12-06-2017 11:40 AM
Jump to solution

Travis,

I had the exact same issue.  Working with USAF SDC images, which is a standard desktop configuration built on a OS.  Usually with a lot more security settings enabled/configured.  In this case, I could get to vCenter via the Windows 7 SDC I was using, but not the Windows 10 one.  I opened my security policies and compared every single item and found the culprit!  In your security policy settings (local or GPO) go to Computer Configuration> Windows Settings>Security Settings>Local Policies>Security Options.  Look for "Network Security: Configure encryption types allowed for Kerberos", and edit it.  My Windows 10 machine had RC4_HMAC_MD5 unchecked.  Checking/enabling this resolved my issue.

This setting (and the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing") are set because the AF network is going to fully FIPS compliant encryption.  There might be a way to change what VMware accepts on the otherside so limiting your network to FIPS compliant algorithms still lets you use SSO for VMware, but for me, I'm on a development network, so I just pushed out the above fix via GPO for the time being.  I disabled the System Cryptography policy as well as it was preventing some other software from working, but for VMware SSO, you probably only need the Kerberos encryption one.

Hope this helps.

View solution in original post

Reply
0 Kudos
5 Replies
AishR
VMware Employee
VMware Employee
‎10-05-2017 03:19 AM
Jump to solution

Does this happen when you use a different browser?

Do you see VMware CIP Message Proxy Service in the list of services, if yes, change startup type to Automatic (delayed start).

Reply
0 Kudos
travisgallegos
Contributor
Contributor
‎10-05-2017 04:10 PM
Jump to solution

I have used IE, Edge, Chrome, and Firefox.  I get the same error, "Invalid Credentials" on all except for Firefox.  Firefox doesn't see the Enhanced Authentication Plugin.

I went ahead and set VMware CIP Message Proxy Service to run Automatic (delayed start).  It was set to Automatic previously.  I will perform a restart and see if it fixes my issue.

Reply
0 Kudos
travisgallegos
Contributor
Contributor
‎11-06-2017 06:27 AM
Jump to solution

Nothing has changed.  I still get "Invalid Credentials" at login. 

Reply
0 Kudos
Kiristo
Contributor
Contributor
‎12-06-2017 11:40 AM
Jump to solution

Travis,

I had the exact same issue.  Working with USAF SDC images, which is a standard desktop configuration built on a OS.  Usually with a lot more security settings enabled/configured.  In this case, I could get to vCenter via the Windows 7 SDC I was using, but not the Windows 10 one.  I opened my security policies and compared every single item and found the culprit!  In your security policy settings (local or GPO) go to Computer Configuration> Windows Settings>Security Settings>Local Policies>Security Options.  Look for "Network Security: Configure encryption types allowed for Kerberos", and edit it.  My Windows 10 machine had RC4_HMAC_MD5 unchecked.  Checking/enabling this resolved my issue.

This setting (and the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing") are set because the AF network is going to fully FIPS compliant encryption.  There might be a way to change what VMware accepts on the otherside so limiting your network to FIPS compliant algorithms still lets you use SSO for VMware, but for me, I'm on a development network, so I just pushed out the above fix via GPO for the time being.  I disabled the System Cryptography policy as well as it was preventing some other software from working, but for VMware SSO, you probably only need the Kerberos encryption one.

Hope this helps.

Reply
0 Kudos
travisgallegos
Contributor
Contributor
‎01-31-2018 05:38 AM
Jump to solution

Kiristo,

Thank you for the assistance.  Unfortunately that setting is grayed out and I am unable to change it.  Couldn't even find it in the registry to even test if this fix action works.  Over the last month, my Windows 10 machine is not asking for credentials at least.  It looks like it wants to authenticate, but it still comes up with invalid credentials.

Reply
0 Kudos