florindespa
Enthusiast
Enthusiast

vCenter 6.0 WebClient- Invalid login when using "Use windows authentication"

Hi,

Maybe someone can help me. I'm having issues logging in with "Use Windows Authentication" in WebClient. Manually typing the password works.  Some information:

- vCenter 6.0 U3 on Windows 2008 R2 (Embedded PSC)

- The Client Integration plugin is loaded successfully in the browsers.

- Tested browsers - IE 11 & Chrome

- I'm trying from the vCenter itself , with the service account with which vCenter services run ( same domain )

- Being the same domain, Identity source is Active Directory ( Integrated Windows Authentication )

This situation happens on more vCenters 6.

Now comes the funny part - from another server ( an older Windows ( vCenter 5.5, but not important in this case )  , same domain , same Windows OS ) I've just installed the same Client Integration Plugin and I am able to connect to the remote vCenter 6 via Web Client with USe Windows Authentication .

  My only explanation is that there is a local policy /setting or something strictly related to the local OS that prevents this from working locally on the vCenter 6 servers, but I do not know exactly which one. I've compared with some tools the policies from the old vCenter 5.5 and the new vCenter 6.0 and could not find differences  .

Errors in the vmware-sts-idmd.log when I try to log in locally with Use Windows..:

[2018-05-11T21:01:55.715+02:00 vsphere.local        315d74c8-9f83-4539-aae8-9d7c9aade7eb INFO ] [VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[GSS_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_IDM], text=[Failed to authenticate gss token], detailText=[com.sun.jna.platform.win32.Win32Exception: The logon attempt failed

....................................................

], corelationId=[315d74c8-9f83-4539-aae8-9d7c9aade7eb], timestamp=[1526065315711]

[2018-05-11T21:01:55.716+02:00 vsphere.local        315d74c8-9f83-4539-aae8-9d7c9aade7eb ERROR] [IdentityManager] Failed to authenticate gss token

com.sun.jna.platform.win32.Win32Exception: The logon attempt failed

..............................................

[2018-05-11T21:01:55.717+02:00 vsphere.local        315d74c8-9f83-4539-aae8-9d7c9aade7eb ERROR] [IdentityManager] Failed to authenticate gss token for tenant [vsphere.local]

[2018-05-11T21:01:55.718+02:00 vsphere.local        315d74c8-9f83-4539-aae8-9d7c9aade7eb ERROR] [ServerUtils] Exception 'com.sun.jna.platform.win32.Win32Exception: The logon attempt failed'

com.sun.jna.platform.win32.Win32Exception: The logon attempt failed

........................................

I already have a VMware case on this.

Thank you.

0 Kudos
7 Replies
florindespa
Enthusiast
Enthusiast

Anyone, any hints or something ? Smiley Happy

0 Kudos
RajeevVCP4
Expert
Expert

This is not vmware issue , you required check your windows (security/system) logs

Rajeev Chauhan
VCIX-DCV6.5/VSAN/VXRAIL
Please mark help full or correct if my answer is use full for you
0 Kudos
JasonSpezza
Contributor
Contributor

What was the solution for this issue? We are facing the same, but with vCSA 7.0.2.

Works fine on one vCenter but not on a newly deployed one.

 

Thank you in advance for any hint.

0 Kudos
JasonSpezza
Contributor
Contributor

Solution was to set the attribute “msDS-SupportedEncryptionTypes” with value “28” on the Active Directory object of vCSA. This setting allows RC4 with Kerberos Authentication.

0 Kudos
natsfn4life
Contributor
Contributor

We have a request to change our VCSA AD attribute "msDS-SupportEncryptionTypes" value to 24. Does this break anything? Does the VCSA need a restart or anything?

0 Kudos
JasonSpezza
Contributor
Contributor

No restart of VCSA needed. However, I do not think that Windows Authentication will work with value 24. Better you deploy a fresh VCSA in a lab environment to test it. 

0 Kudos
natsfn4life
Contributor
Contributor

So after setting VCSA AD attribute "msDS-SupportEncryptionTypes" value to 24 on one non-critical environment, I have yet to see any issues logging into vCenter using my domain credentials. Its been almost a week since the change and its still holding strong. That said, I have not rebooted the VCSA appliance. Could a reboot possibly break something?

0 Kudos