VMware Cloud Community
jsb197
Contributor
Contributor
‎05-21-2018 01:18 PM

VCSA 6.7 Unable to validate submitted credential

Recently installed a fresh VCSA 6.7 and cannot get SmartCard authentication to work at all anymore, following the exact process used to get a 6.5 VCSA working a few weeks ago.

Any attempts get "Unable to validate submitted credential"

Actual domain xx.yy.mil

All users are in xx.yy.mil with UPN's of the format ###########@mil, and this UPN is listed in the certificates Subject Alt Name field

websso.log shows:

""""WARN ----- obtainDcInfo for domain [mil] failed Native platform error [code: 2453][NERR_DCNotFound]""""

-Not sure why its looking in the .mil domain vs the actual xx.yy.mil domain for the users.  This seems to be the root of the problem.

""""Failed to find active user with error [Failed to find Principal attribute value 100000000001@mil]""""

--This error makes sense after the first WARN error.

""""ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed in account linking using certificate SAN:  100000000001@mil""""

--Again, makes sense given the domain lookup isn't looking for the right domain.

========================

-All SSL certs are valid for the VCSA 6.7 and are CA signed, from same source as working 6.5 VCSA with smart card operational. Only the VCSA machine SSL cert was replaced.

-VCSA 6.7 was added to the domain, rebooted, verified on the domain (Win2012R2), AD identity source added, AD username/pw logins work, and admin users granted membership in sso groups and given global admin permissions to vcenter.

-reverse HTTP proxy config set, with same certs/file that the 6.5 VCSA used successfully.

-

Additional tasks undertaken:

-Removed from domain, re-added to domain - username/pw from the domain work just fine -- no changes

-Removed AD identity source and from domain, re-added to domain, re-added identity source

Any pointers or suggestions on what to do next would be appreciated.

6 Replies
TSprouse94
Contributor
Contributor
‎05-22-2018 05:21 AM

I have the same issue after upgrading from VCSA 6.5 to 6.7.  I have performed all the similar tasks and still no luck. 

0 Kudos
rpwnut
Contributor
Contributor
‎05-22-2018 07:27 AM

Having the same issue, and still have no resolution.

0 Kudos
neutronscott0
Contributor
Contributor
‎05-29-2018 12:13 PM

Did you open a ticket? I did a network capture and it's trying to do a srv lookup on .mil (don't have it handy, it was actually on another network). I tried to compare krb5.conf from vCenter 6.5 and 6.7 and the differences weren't in there. So I don't think it'll get fixed without a ticket. I am unsure if before it actually checked the alternative UPNs in AD or just sent everything to the default realm, but this is definitely a show stopper for 6.7 for us.

0 Kudos
TSprouse94
Contributor
Contributor
‎06-05-2018 04:58 AM

I rolled back to 6.5, didn't have any time to troubleshoot...was basically hoping for a quick upgrade and slipped it in.  If anyone solves this issue please provide an update to this thread.

0 Kudos
neutronscott0
Contributor
Contributor
‎06-05-2018 07:49 AM

I've a ticket open and VMware says there's already a PR on the issue. Will try to update the thread but I'm guessing at this point we're waiting on a software update.

Camero
VMware Employee
VMware Employee
‎07-27-2018 09:45 AM

This issue is addressed in the latest release.

please get the latest bits and let us know.

Release notes here: VMware vCenter Server 6.7.0c Release Notes

0 Kudos