VMware Cloud Community
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Use Windows session authentication checkbox not working vCenter SSO 6.5.0U1e

I am running a vCenter Server Appliance (VCSA) with Platform Services Controller (PSC) on 6.5.0U1e and it is successfully joined to my Active Directory domain.  I can successfully login to my vSphere Web Client using my AD credentials when I type them manually into the VMware vCenter Single Sign-On login screen.  However, if I select the checkbox to Use Windows session authentication (which auto-populates the user name and password fields with the same AD credentials) I get an Invalid Credentials notification.  I cannot login using the checkbox.  Why?  I have verified all VCSA hosts and hostname files are configured correctly, the domain and FQDN of the VCSA is configured correctly, IP, etc... The domain logins work fine except when using the checkbox.

EDIT.  I should also mention I have the Enhanced Authentication plug-in installed, I've uninstalled the older Client Integration Plugin, and I am using Mozilla Firefox for which I had to complete a short workaround to permanently store an exception to use the vmware plugin in my browser in order to be able to check the checkbox.  The checkbox remains greyed out in Edge and IE.

1 Solution

Accepted Solutions
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Yes this Group Policy setting was the culprit for my environment as well.  But the other information in this thread was very useful as well.  To summarize the fix action:

The Network Security: Configure encryption types allowed for Kerberos in Group Policy needs to be configured with a checkbox to allow RC4_HMAC_MD5.  The policy setting is located at Computer Configuration> Windows Settings>Security Settings>Local Policies>Security Options>Network Security: Configure encryption types allowed for Kerberos.

This should allow a Windows 10 machine to utilize the vCenter Windows session authentication checkbox to work during login to the vSphere Web Client.

The other fix actions to get the checkbox un-greyed and to get the Enhanced Authentication Plug-in to work in IE involved adding the vCenter login screen URL to the browser's Intranet Sites list.  This may also need to be completed in Group Policy under Site to Zone Assignment List with a value of 1 for Intranet.  Getting the Enhanced Authentication Plug-in to work in Firefox involved browsing to https://vmware-plugin:8094 and permanently storing this exception in the browser.


I'm still not able to get the Enhanced Authentication Plug-in working in Edge at this time.  I am also working through untrusted certificates from the VCSA for which I have been working in the VCSA certificate manager and regenerating/reissuing certificates, downloading them, and importing them to the proper certificate stores for Windows and browsers, but no luck here yet.  My certificate issue seems to be involved with the VCSA CN=<IP Address> whereas  my generated certificates CN=<hostname>

View solution in original post

Reply
0 Kudos
19 Replies
WDGNet
Enthusiast
Enthusiast
Jump to solution

I'd make sure "VMware Cip Message Proxy Service" is started on your Windows workstation.

jrhaakenson
Enthusiast
Enthusiast
Jump to solution

It is running and set to Automatic startup.

Reply
0 Kudos
rajen450m
Hot Shot
Hot Shot
Jump to solution

Hi jrhaakenson

WDGNet is right, it is related to "VMware Cip Message proxy service" and u said it is started in services and set to automatic.

When you access vcenter, If your IE shows "Download Enhanced Authentication plug-in" it means the browser is not allowing this plugin yet, please try to re-install it again and notice whether VMware Plug-in Service Installer is also installed in parallel (FIND BELOW). Until it disappears on browser make sure all the extensions/permissions are granted.

pastedImage_0.png

IE has some issues on my PC also and allowing only html with checkbox and it crashes out if I select flash 🙂

pastedImage_2.png

Raj M Please mark helpful or correct if my answer resolved your issue. Visit www.hypervmwarecloud.com for my blog posts, step-by-step procedures etc.,
Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

In addition to to what rajen450m said,  I would also make sure your vcenter server is included in your IE Local Intranet sites list. 

Internet Options>Security>Local intranet>Sites>Advanced>https://vcenter_name.fqdn

jrhaakenson
Enthusiast
Enthusiast
Jump to solution

I have uninstalled and re-installed the Enhanced Authentication Plug-in multiple times.  Both the Enhanced Authentication Plug-in and Plug-in service installers run and complete.  The VMware Plug-in service is also installed.  Either way Edge and IE continue to show the "Download Enhanced Authentication Plugin" message at the bottom and the checkbox is greyed out.  IE and Edge are not allowing the Plug-in.  Are there other extension/permissions that need to be enabled in Edge or IE?

Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

in IE, browse to your vcenter landing page.  From there, go to Internet Options>Security>Local intranet>Sites>Advanced

If your vcenter URL is not listed under websites, click the add button to add it.  Next, close down IE and relaunch, browse to vcenter landing page.  LMK if this isn't working still.

Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

Another thought, you do have your vcenter's trusted root certificate installed in IE correct?  IE>Internet Options>Privacy>Certificates>Other People

Your VCenter certificate should appear here.  If not, navigate to the vcenter name/ip address and download the trusted root certificate and install in IE and test again.

LMK.

Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

Reply
0 Kudos
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Ok, by adding my vCenter server landing page to Local Intranet sites, I was greeted with a popup in IE to allow the cip launcher.  I clicked to always allow and I can now select the Windows session authentication checkbox in IE.  Since I am using Group Policy, I added the vCenter server landing page to my Site to Zone Assignment List in Computer Configuration->Administrative Templates->Windows Components->Internet Explorer->Internet Control Panel->SecurityPage->Site to Zone Assignment List.  I added the URL with a value of 1 to designate the Intranet Zone.  However, now I have the same issue I have with Firefox in that when I click the Windows session authentication checkbox, I receive an Invalid Credentials error.  Again, if I manually type in my Windows AD credentials, I can login fine, but using the checkbox results in Invalid Credentials.

Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

Is your vmware-plugin listed in IE Trusted Root Certification Authorities?

Reply
0 Kudos
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

yes vmware-plugin is listed under the IE Trusted Root Certification Authorities tab.  Friendly Name VMware-CSD Cert

Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

Can you verify dns is working, both forward and reverse?

Can you log into your VCSA and verify the hostname and time settings?

Reply
0 Kudos
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

DNS is working fine.

The hostname file in /etc has the correct FQDN listed and nothing else.

The hosts file in /etc has the following listed:

<127.0.0.1> <FQDN> <host name> <localhost>

<IP address> <FQDN> <host name>

The time matches the time on the Domain Controller

Reply
0 Kudos
rajen450m
Hot Shot
Hot Shot
Jump to solution

There was a similar issue posted before and marked as answered. Can you please try as shown in this discussion.

Issues when using Windows Session Authentication

Raj M Please mark helpful or correct if my answer resolved your issue. Visit www.hypervmwarecloud.com for my blog posts, step-by-step procedures etc.,
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Yes this Group Policy setting was the culprit for my environment as well.  But the other information in this thread was very useful as well.  To summarize the fix action:

The Network Security: Configure encryption types allowed for Kerberos in Group Policy needs to be configured with a checkbox to allow RC4_HMAC_MD5.  The policy setting is located at Computer Configuration> Windows Settings>Security Settings>Local Policies>Security Options>Network Security: Configure encryption types allowed for Kerberos.

This should allow a Windows 10 machine to utilize the vCenter Windows session authentication checkbox to work during login to the vSphere Web Client.

The other fix actions to get the checkbox un-greyed and to get the Enhanced Authentication Plug-in to work in IE involved adding the vCenter login screen URL to the browser's Intranet Sites list.  This may also need to be completed in Group Policy under Site to Zone Assignment List with a value of 1 for Intranet.  Getting the Enhanced Authentication Plug-in to work in Firefox involved browsing to https://vmware-plugin:8094 and permanently storing this exception in the browser.


I'm still not able to get the Enhanced Authentication Plug-in working in Edge at this time.  I am also working through untrusted certificates from the VCSA for which I have been working in the VCSA certificate manager and regenerating/reissuing certificates, downloading them, and importing them to the proper certificate stores for Windows and browsers, but no luck here yet.  My certificate issue seems to be involved with the VCSA CN=<IP Address> whereas  my generated certificates CN=<hostname>

Reply
0 Kudos
WDGNet
Enthusiast
Enthusiast
Jump to solution

Hey jrhaakenson-

For your host file, make sure the following is included and not commented out:

127.0.0.1vmware-plugin
::1      vmware-plugin
Reply
0 Kudos
CalleMosen
Contributor
Contributor
Jump to solution

Adding the RC4_HMAC_MD5 to allowed kerberos types is what fixed the "Invalid credentials"-problem in my POC-setup (vCenter 6.7 U2, Server 2016 (Build 1607), Firefox 66.0 x64).

However, i also had to enable AES128_HMAC_SHA1 and AES256_HMAC_SHA1 in order for RDP-TLS to work using FQDN.

I need to continue investigating other ways to login to vCenter, that does not include kerberos authentication using a insecure encryption algorithm (RC4). It's highly unlikely that a setup using RC4 will pass through our security audit process and be approved for usage.

VMware need to fix this, requiring kerberos based on RC4 in 2019 is not acceptable!

jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Please post any further findings you come up with.  I'm in a similar secured environment and we ended up removing the RC4_HMAC_MD5 encryption type in order to be compliant.  So now we're back to being unable to use the checkbox for using Windows Credentials to login once again.

robertrosit
Enthusiast
Enthusiast
Jump to solution

[removed post - it's working with latest updates]

Reply
0 Kudos