I am running a vCenter Server Appliance (VCSA) with Platform Services Controller (PSC) on 6.5.0U1e and it is successfully joined to my Active Directory domain. I can successfully login to my vSphere Web Client using my AD credentials when I type them manually into the VMware vCenter Single Sign-On login screen. However, if I select the checkbox to Use Windows session authentication (which auto-populates the user name and password fields with the same AD credentials) I get an Invalid Credentials notification. I cannot login using the checkbox. Why? I have verified all VCSA hosts and hostname files are configured correctly, the domain and FQDN of the VCSA is configured correctly, IP, etc... The domain logins work fine except when using the checkbox.
EDIT. I should also mention I have the Enhanced Authentication plug-in installed, I've uninstalled the older Client Integration Plugin, and I am using Mozilla Firefox for which I had to complete a short workaround to permanently store an exception to use the vmware plugin in my browser in order to be able to check the checkbox. The checkbox remains greyed out in Edge and IE.
Yes this Group Policy setting was the culprit for my environment as well. But the other information in this thread was very useful as well. To summarize the fix action:
The Network Security: Configure encryption types allowed for Kerberos in Group Policy needs to be configured with a checkbox to allow RC4_HMAC_MD5. The policy setting is located at Computer Configuration> Windows Settings>Security Settings>Local Policies>Security Options>Network Security: Configure encryption types allowed for Kerberos.
This should allow a Windows 10 machine to utilize the vCenter Windows session authentication checkbox to work during login to the vSphere Web Client.
The other fix actions to get the checkbox un-greyed and to get the Enhanced Authentication Plug-in to work in IE involved adding the vCenter login screen URL to the browser's Intranet Sites list. This may also need to be completed in Group Policy under Site to Zone Assignment List with a value of 1 for Intranet. Getting the Enhanced Authentication Plug-in to work in Firefox involved browsing to https://vmware-plugin:8094 and permanently storing this exception in the browser.
I'm still not able to get the Enhanced Authentication Plug-in working in Edge at this time. I am also working through untrusted certificates from the VCSA for which I have been working in the VCSA certificate manager and regenerating/reissuing certificates, downloading them, and importing them to the proper certificate stores for Windows and browsers, but no luck here yet. My certificate issue seems to be involved with the VCSA CN=<IP Address> whereas my generated certificates CN=<hostname>
I'd make sure "VMware Cip Message Proxy Service" is started on your Windows workstation.
It is running and set to Automatic startup.
Hi jrhaakenson
WDGNet is right, it is related to "VMware Cip Message proxy service" and u said it is started in services and set to automatic.
When you access vcenter, If your IE shows "Download Enhanced Authentication plug-in" it means the browser is not allowing this plugin yet, please try to re-install it again and notice whether VMware Plug-in Service Installer is also installed in parallel (FIND BELOW). Until it disappears on browser make sure all the extensions/permissions are granted.
IE has some issues on my PC also and allowing only html with checkbox and it crashes out if I select flash 🙂
In addition to to what rajen450m said, I would also make sure your vcenter server is included in your IE Local Intranet sites list.
Internet Options>Security>Local intranet>Sites>Advanced>https://vcenter_name.fqdn
I have uninstalled and re-installed the Enhanced Authentication Plug-in multiple times. Both the Enhanced Authentication Plug-in and Plug-in service installers run and complete. The VMware Plug-in service is also installed. Either way Edge and IE continue to show the "Download Enhanced Authentication Plugin" message at the bottom and the checkbox is greyed out. IE and Edge are not allowing the Plug-in. Are there other extension/permissions that need to be enabled in Edge or IE?
in IE, browse to your vcenter landing page. From there, go to Internet Options>Security>Local intranet>Sites>Advanced
If your vcenter URL is not listed under websites, click the add button to add it. Next, close down IE and relaunch, browse to vcenter landing page. LMK if this isn't working still.
Another thought, you do have your vcenter's trusted root certificate installed in IE correct? IE>Internet Options>Privacy>Certificates>Other People
Your VCenter certificate should appear here. If not, navigate to the vcenter name/ip address and download the trusted root certificate and install in IE and test again.
LMK.
Ok, by adding my vCenter server landing page to Local Intranet sites, I was greeted with a popup in IE to allow the cip launcher. I clicked to always allow and I can now select the Windows session authentication checkbox in IE. Since I am using Group Policy, I added the vCenter server landing page to my Site to Zone Assignment List in Computer Configuration->Administrative Templates->Windows Components->Internet Explorer->Internet Control Panel->SecurityPage->Site to Zone Assignment List. I added the URL with a value of 1 to designate the Intranet Zone. However, now I have the same issue I have with Firefox in that when I click the Windows session authentication checkbox, I receive an Invalid Credentials error. Again, if I manually type in my Windows AD credentials, I can login fine, but using the checkbox results in Invalid Credentials.
Is your vmware-plugin listed in IE Trusted Root Certification Authorities?
yes vmware-plugin is listed under the IE Trusted Root Certification Authorities tab. Friendly Name VMware-CSD Cert
Can you verify dns is working, both forward and reverse?
Can you log into your VCSA and verify the hostname and time settings?
DNS is working fine.
The hostname file in /etc has the correct FQDN listed and nothing else.
The hosts file in /etc has the following listed:
<127.0.0.1> <FQDN> <host name> <localhost>
<IP address> <FQDN> <host name>
The time matches the time on the Domain Controller
There was a similar issue posted before and marked as answered. Can you please try as shown in this discussion.
Issues when using Windows Session Authentication
Yes this Group Policy setting was the culprit for my environment as well. But the other information in this thread was very useful as well. To summarize the fix action:
The Network Security: Configure encryption types allowed for Kerberos in Group Policy needs to be configured with a checkbox to allow RC4_HMAC_MD5. The policy setting is located at Computer Configuration> Windows Settings>Security Settings>Local Policies>Security Options>Network Security: Configure encryption types allowed for Kerberos.
This should allow a Windows 10 machine to utilize the vCenter Windows session authentication checkbox to work during login to the vSphere Web Client.
The other fix actions to get the checkbox un-greyed and to get the Enhanced Authentication Plug-in to work in IE involved adding the vCenter login screen URL to the browser's Intranet Sites list. This may also need to be completed in Group Policy under Site to Zone Assignment List with a value of 1 for Intranet. Getting the Enhanced Authentication Plug-in to work in Firefox involved browsing to https://vmware-plugin:8094 and permanently storing this exception in the browser.
I'm still not able to get the Enhanced Authentication Plug-in working in Edge at this time. I am also working through untrusted certificates from the VCSA for which I have been working in the VCSA certificate manager and regenerating/reissuing certificates, downloading them, and importing them to the proper certificate stores for Windows and browsers, but no luck here yet. My certificate issue seems to be involved with the VCSA CN=<IP Address> whereas my generated certificates CN=<hostname>
Hey jrhaakenson-
For your host file, make sure the following is included and not commented out:
127.0.0.1 | vmware-plugin |
::1 | vmware-plugin |
Adding the RC4_HMAC_MD5 to allowed kerberos types is what fixed the "Invalid credentials"-problem in my POC-setup (vCenter 6.7 U2, Server 2016 (Build 1607), Firefox 66.0 x64).
However, i also had to enable AES128_HMAC_SHA1 and AES256_HMAC_SHA1 in order for RDP-TLS to work using FQDN.
I need to continue investigating other ways to login to vCenter, that does not include kerberos authentication using a insecure encryption algorithm (RC4). It's highly unlikely that a setup using RC4 will pass through our security audit process and be approved for usage.
VMware need to fix this, requiring kerberos based on RC4 in 2019 is not acceptable!
Please post any further findings you come up with. I'm in a similar secured environment and we ended up removing the RC4_HMAC_MD5 encryption type in order to be compliant. So now we're back to being unable to use the checkbox for using Windows Credentials to login once again.
[removed post - it's working with latest updates]