1) In the Security log on our vCenter server we see an Event 4776 Audit Failure entry for the service account used for Composer, which is then followed by a successful logon for the service account. This is occurring every few seconds to every few minutes.
2) Additionally, in Horizon Administrator on both connection servers, we get the following warning once or twice a day:
vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials
Everything in Horizon seems to be working fine, so I'm not sure if I need to be concerned with these or not.
- I’ve re-entered the credentials for the composer service account in the Horizon console (via View Configuration – Servers - vCenter Servers) on both connection servers. I can log into vSphere using that service account successfully. Rebooted vCenter server so all VMware services were restarted. The service account has Administrator role in vSphere and local admin rights on the server.
Environment:
- Horizon 7.3.2 - Two connection servers, one for internal use, one for external user paired with a security server.
- vSphere 6.5
In the vCenter server Security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/20/2018 4:23:28 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: VCenter.xxxx.yyyy.edu
Description:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: service_Composer
Source Workstation: VCENTER
Error Code: 0xC0000064
This is immediately followed by successful log on for the same service account:
Event ID: 4648
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/20/2018 4:23:28 PM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: VCenter.xxxx.yyyy.edu
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: VCENTER$
Account Domain: OUR_DOMAIN
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: service_Composer
Account Domain: OUR_DOMAIN
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x870
Process Name: D:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event ID: 4624
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/20/2018 4:23:28 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: VCenter.xxxx.yyyy.edu
Description:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: VCENTER$
Account Domain: OUR_DOMAIN
Logon ID: 0x3E7
Logon Type: 8
Impersonation Level: Impersonation
New Logon:
Security ID: OUR_DOMAIN\service_Composer
Account Name: service_Composer
Account Domain: OUR_DOMAIN
Logon ID: 0x9A7BCD9
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x870
Process Name: D:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe
Network Information:
Workstation Name: VCENTER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event ID: 4672
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/20/2018 4:23:28 PM
Event ID: 4672
Task Category: Special Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: VCenter.xxxx.yyyy.edu
Description:
Special privileges assigned to new logon.
Subject:
Security ID: OUR_DOMAIN\service_Composer
Account Name: service_Composer
Account Domain: OUR_DOMAIN
Logon ID: 0x9A7BCD9
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Vpxd log from vCenter server:
2. For the warning “vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials” the vpxd logs has entries such as
2018-02-22T06:00:24.370-07:00 info vpxd[10248] [Originator@6876 sub=vpxLro opID=4571102e] [VpxLRO] -- BEGIN lro-221825 -- SessionManager -- vim.SessionManager.login -- 52e0c5f1-f27b-0e0b-b161-e9adf5b8f4e0
2018-02-22T06:00:24.372-07:00 error vpxd[10248] [Originator@6876 sub=[SSO] opID=4571102e] [UserDirectorySso] AcquireToken exception: class SsoClient::CommunicationException(An established connection was aborted by the software in your host machine)
--> [context]zKq8NBMEAAAABCFDTbwAddnB4ZAAASi0fdm1hY29yZS5kbGwAAACHBgDesAYAtEECAdEkAnNzb0NsaWVudC5kbGwAAVRLBAIgaQZNU1ZDUjEyMC5kbGwAAm3jBQODKgludGRsbC5kbGwAAREfAgHSwgEE0HUQdnB4ZC5leGUABNb4cAS/8nAEG0pwBSfUDnZpbS10eXBlcy5kbGwABufcBHZtb21pLmRsbAAEdvEMBH+oCwTh3gsEzaMLBKbLCwCraBgAnHgYAIkLIgJ/TwICJlECB9ITAEtFUk5FTDMyLkRMTAAD9FQB[/context]
2018-02-22T06:00:24.375-07:00 error vpxd[10248] [Originator@6876 sub=User opID=4571102e] Failed to authenticate user <Our_Domain\service_Composer
2018-02-22T06:00:27.376-07:00 info vpxd[10248] [Originator@6876 sub=Default opID=4571102e] [VpxLRO] -- ERROR lro-221825 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin:
--> Result:
--> (vim.fault.InvalidLogin) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
--> Arg userName:
--> "Our_Domain\service_Composer"
--> Arg password:
--> (not shown)
-->
--> Arg locale:
-->
Connection Server logs:
1) For the warning “vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials” the connection server log has entries such as:
2018-02-22T06:00:26.937-07:00 ERROR (10B4-16B0) <VCHealthUpdate> [ServiceConnection25] Invalid VC login. Check username and password for VirtualCenter at https://VCENTER.XXXX.YYYY.EDU:443/sdk
2018-02-22T06:01:33.210-07:00 INFO (10B4-1AE0) <CacheRefreshThread-https://VCENTER.XXXX.YYYY.EDU:443/sdk> [CacheManager] Populating temporary stores for cache from VC Our_Domain\service_Composer@https://vCenter.xxxx.yyyy.edu:443/sdk
2018-02-22T06:01:33.302-07:00 INFO (10B4-1AE0) <CacheRefreshThread-https://VCENTER.XXXX.YYYY.EDU:443/sdk> [CacheManager] Temporary stores for cache populated for VC Our_Domain\service_Composer@https://vCenter.xxxx.yyyy.edu:443/sdk
And the application event log on the connection server shows:
BROKER_VC_STATUS_CHANGED_INVALID_CREDENTIALS
vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials
Attributes:
Node=OUR_DOMAINPCON.Our_Domain.YYYY.edu
Severity=WARNING
Time=Thu Feb 22 06:00:26 MST 2018
VCAddress=https://VCENTER.XXXX.YYYY.EDU:443/sdk
Module=Broker
Source=com.vmware.vdi.broker.health.l
Acknowledged=true
Thank you for any assistance.
PaulMurphyCO - Sorry this is not a solution suggestion I am just jumping on your thread as we have seen the same issue. Our environment is slightly different our Composer and vCenter are on separate systems. vCenter is the appliance but Composer is sitting on a Windows 2016 box. We tracked this behavior down to the VMWare Horizon 7 Composer service. If we turn that off the events stop, start the service the events start. Looking at info about event id 4776 it occurs "When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event." We see the 4776 event on our Composer server and one of our DC, which ever one the Composer server picks to auth to that day. It looks like the account is first being evaluated on the local machine for authentication then attempts at the DC. Again sorry for no solution - other than turning off the service LOL - just more info and maybe attention from someone who will have a solution.
We are having the same issue, anyone found a solution yet?
Has anyone found a fix for this? Our environment is having the same issues.
You need to follow the below steps,
1. Go to the view admin page.
2. View configuration > Servers > vCenter Servers.
3. Select the vCenter and click on Edit
4. Under View Composer server settings click on Edit.
5. In the Username box, change the name of the user from Domain\username to username@domain.
6. Provide the password and click OK
7. Check if you are still getting the same results in the security event viewer.
And if the view version is 7.0.3 and later, please follow the below article,
Old ticket but we are experiencing this issue so did any of the above work in resolving the issue. Only see this event on our Composer server, no other.
Thanks in advance,