VMware Cloud Community
BrianMitchellTX
Enthusiast
Enthusiast
‎10-08-2014 09:50 AM

[Solved] Login Failed. Please contact your System Administrator and report error code xxxxxxxx

I saw one other thread where someone was getting the same error but his log message was different. So, instead of hijacking that thread I decided to post the resolution for my problem. [Solution at the bottom in green for those who don't care about the error]

I could not log into the appliance, it would always fail with "Login Failed. Please contact your System Administrator and report error code". If I typed a bogus password it would tell me the credentials were invalid so at least I knew it was talking with the identity appliance.

Looking at the catalina.out (/var/log/vcac/catalina.out) I saw the error Caused by: java.lang.IllegalArgumentException: Validating notBefore fails

My first impression was a certificate problem, especially since I was using self signed certs (and they were just generated) and certificate problems keep coming up when troubleshooting authentication issues. Maybe a bug with the timezone offset? Nope, I went to bed and the next morning had the same problem. Time to dig a little deeper.

I should have looked at the entire error because the problem was in there but it was extremely easy to gloss over...unless you're a computer.

Caused by: java.lang.IllegalArgumentException: Validating notBefore fails:java.util.GregorianCalendar[time=1412782803431,areFieldsSet=false,areAllFieldsSet=false,lenient=true,zone=sun.util.calendar.ZoneInfo[id="GMT",offset=0,dstSavings=0,useDaylight=false,transitions=0,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2014,MONTH=9,WEEK_OF_YEAR=41,WEEK_OF_MONTH=2,DAY_OF_MONTH=8,DAY_OF_YEAR=281,DAY_OF_WEEK=4,DAY_OF_WEEK_IN_MONTH=2,AM_PM=0,HOUR=10,HOUR_OF_DAY=10,MINUTE=40,SECOND=3,MILLISECOND=431,ZONE_OFFSET=-21600000,DST_OFFSET=3600000]

Comparing the times between the two appliances I discovered that my VCAC server was ~25 seconds off (behind) from the identity appliance and even a 1 second delta will invalidate the SAML. That's what I get for using a Windows box as a NTP server.

I re-synchronized the times, validated they were in the same second and the authentication starting working.

....and I thought KERBEROS was strict with time skew!

1 Reply
vamsee83
Contributor
Contributor
‎01-14-2015 01:53 PM

Thank You so much for posting it solved my issue too.

0 Kudos