Hi,
Maybe someone can help me. I'm having issues logging in with "Use Windows Authentication" in WebClient. Manually typing the password works. Some information:
- vCenter 6.0 U3 on Windows 2008 R2 (Embedded PSC)
- The Client Integration plugin is loaded successfully in the browsers.
- Tested browsers - IE 11 & Chrome
- I'm trying from the vCenter itself , with the service account with which vCenter services run ( same domain )
- Being the same domain, Identity source is Active Directory ( Integrated Windows Authentication )
This situation happens on more vCenters 6.
Now comes the funny part - from another server ( an older Windows ( vCenter 5.5, but not important in this case ) , same domain , same Windows OS ) I've just installed the same Client Integration Plugin and I am able to connect to the remote vCenter 6 via Web Client with USe Windows Authentication .
My only explanation is that there is a local policy /setting or something strictly related to the local OS that prevents this from working locally on the vCenter 6 servers, but I do not know exactly which one. I've compared with some tools the policies from the old vCenter 5.5 and the new vCenter 6.0 and could not find differences .
Errors in the vmware-sts-idmd.log when I try to log in locally with Use Windows..:
[2018-05-11T21:01:55.715+02:00 vsphere.local 315d74c8-9f83-4539-aae8-9d7c9aade7eb INFO ] [VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[GSS_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_IDM], text=[Failed to authenticate gss token], detailText=[com.sun.jna.platform.win32.Win32Exception: The logon attempt failed
....................................................
], corelationId=[315d74c8-9f83-4539-aae8-9d7c9aade7eb], timestamp=[1526065315711]
[2018-05-11T21:01:55.716+02:00 vsphere.local 315d74c8-9f83-4539-aae8-9d7c9aade7eb ERROR] [IdentityManager] Failed to authenticate gss token
com.sun.jna.platform.win32.Win32Exception: The logon attempt failed
..............................................
[2018-05-11T21:01:55.717+02:00 vsphere.local 315d74c8-9f83-4539-aae8-9d7c9aade7eb ERROR] [IdentityManager] Failed to authenticate gss token for tenant [vsphere.local]
[2018-05-11T21:01:55.718+02:00 vsphere.local 315d74c8-9f83-4539-aae8-9d7c9aade7eb ERROR] [ServerUtils] Exception 'com.sun.jna.platform.win32.Win32Exception: The logon attempt failed'
com.sun.jna.platform.win32.Win32Exception: The logon attempt failed
........................................
I already have a VMware case on this.
Thank you.
Anyone, any hints or something ?
This is not vmware issue , you required check your windows (security/system) logs
What was the solution for this issue? We are facing the same, but with vCSA 7.0.2.
Works fine on one vCenter but not on a newly deployed one.
Thank you in advance for any hint.
Solution was to set the attribute “msDS-SupportedEncryptionTypes” with value “28” on the Active Directory object of vCSA. This setting allows RC4 with Kerberos Authentication.
We have a request to change our VCSA AD attribute "msDS-SupportEncryptionTypes" value to 24. Does this break anything? Does the VCSA need a restart or anything?
No restart of VCSA needed. However, I do not think that Windows Authentication will work with value 24. Better you deploy a fresh VCSA in a lab environment to test it.
So after setting VCSA AD attribute "msDS-SupportEncryptionTypes" value to 24 on one non-critical environment, I have yet to see any issues logging into vCenter using my domain credentials. Its been almost a week since the change and its still holding strong. That said, I have not rebooted the VCSA appliance. Could a reboot possibly break something?