Hi,
I did a clean install of vCenter 6.7u2 and everything works as supposed except AD authentication. Local logon with vsphere.local\administrator is working fine.
The following things have already been configured/checked:
1. Photon-machine is joined to the domain, AD object and DNS record have been created.
2. Identity source has been configured.
3. Global permissions have been defined, users can be found in the domain.
4. Domain can be resolved from the server appliance.
5. Server appliance can be resolved from the domain controller.
6. Date and time of the appliance are equal to the DC's date and time.
7. Disjoined the device from the domain with CLI, removed device from AD, rejoined device.
When trying to logon, the web interface displays the error: "Invalid credentials". Meanwhile, websso.log displays some errors.
Logfile (removed sensitive info) is attached to this post.
Try these KB
2147308
2147174
principal [user1@domain.local] for tenant [vsphere.local]
com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 851968][null][null]
at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.AuthenticateByPassword(LinuxIdmNativeAdapter.java:188) ~[vmware-identity-platform-7.0.0.jar:?]
at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.authenticate(ActiveDirectoryProvider.java:289) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2991) [vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9753) [vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) [vmware-identity-idm-client-7.0.0.jar:?]
at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]
at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:95) [websso-7.0.0.jar:?]
at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]
at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:123) [websso-7.0.0.jar:?]
at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:43) [websso-7.0.0.jar:?]
at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]
at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:89) [websso-7.0.0.jar:?]
I found those articles online as well, and can confirm that “do not require kerberos preauthentication” is not checked for this user, and that there is no time-mismatch either.
Any other suggestions?