komanek
Enthusiast
Enthusiast

integrated windows authentication stopped working after upgrade to vCenter 6.5u3

Hello,

after upgrade from vCenter 6.5u2 to 6.5u3, the integrated windows authentication stopped working, saying "invalid credentials" on the login screen, for both flash and html5 clients. Traditional login with username and password works fine. The enhanced plugin service is running (login screen recognizes it and the link to download the plugin is hidden, which seems ok). Cleared browser cache, reboot of server and reinstallation of enhanced plugin didn't help.

Running on Windows 2012 R2 Server (standalone, no AD), current Firefox ESR (60.9.0esr 64-bit). The same problem on both my vCenter installations. The only difference is vCenter upgrade.

Is it a known issue with any workaround?

Thanks,

David

0 Kudos
7 Replies
Gidrakos
Hot Shot
Hot Shot

Hey David, are you getting any pertinent errors in any of the following log files?

/var/log/vmware/vpxd/vpxd.log

/var/log/vmware/sso/websso.log

/var/log/vmware/sso/ssoAdminServer.log

Those might be able to point you in the right direction. Let us know what you find.

0 Kudos
komanek
Enthusiast
Enthusiast

Hi,

thank you for the response. It is Windows-based installation, as I mentionet already, so I hope I found the relevant logs. I started web browser and tried to login via windows integration and searched logs for the specific time period. Hostnames are changed.

C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\websso.log

[2019-10-03T09:18:24.531+02:00  tomcat-http--1                                       INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.local

[2019-10-03T09:18:24.532+02:00  tomcat-http--1                                       INFO  com.vmware.identity.SsoController] Request URL is https://xxx.yyy.zzz.cz/websso/SAML2/SSO/vsphere.local

[2019-10-03T09:18:24.589+02:00  tomcat-http--1  92a887d2-f255-4490-860d-fd1e57395ece INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _3c9447985d4d34f0464e4e68c6411311

[2019-10-03T09:18:24.593+02:00  tomcat-http--1  92a887d2-f255-4490-860d-fd1e57395ece INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[2019-10-03T09:18:24.603+02:00  tomcat-http--1  92a887d2-f255-4490-860d-fd1e57395ece INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[2019-10-03T09:18:24.607+02:00  tomcat-http--1  92a887d2-f255-4490-860d-fd1e57395ece INFO  auditlogger] {"user":"","client":"::1","timestamp":"10/03/2019 09:18:24 CEST","description":"User @::1 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

[2019-10-03T09:18:24.607+02:00  tomcat-http--1  92a887d2-f255-4490-860d-fd1e57395ece ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException

[2019-10-03T09:18:24.607+02:00  tomcat-http--1  92a887d2-f255-4490-860d-fd1e57395ece ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: 401, message

C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\ssoAdminServer.log

no error messages, no mention of my login name

C:\ProgramData\VMware\vCenterServer\logs\vmware-vpx\vpxd-149.log

timestamp 34 seconds later than that from websso.log, so probaly not relevant, but to be sure, I paste it here

2019-10-03T09:18:58.815+02:00 error vpxd[05996] [Originator@6876 sub=vmomi.soapStub[79]] initial service state request failed, disabling pings. error=HTTP Status:500 'Internal Server Error'

2019-10-03T09:18:58.815+02:00 warning vpxd[05996] [Originator@6876 sub=Default] Closing Response processing in unexpected state: 3

EDIT: I also found this:

C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\websso_audit_events.log

2019-10-03T07:18:24.607Z {"user":"","client":"::1","timestamp":"10/03/2019 09:18:24 CEST","description":"User @::1 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

0 Kudos
daphnissov
Immortal
Immortal

Running a Windows-based vCenter at this time is essentially pointless and because of most using the vCSA there is going to be a (appropriate) lack of knowledge here on Windows. I'd suggest opening a support request.

0 Kudos
Gidrakos
Hot Shot
Hot Shot

Sorry, I totally skipped over the local Windows install bit.

A good amount of people have had success with fixing this issue by setting an appropriate security GPO, as talked about here: Issues when using Windows Session Authentication

0 Kudos
komanek
Enthusiast
Enthusiast

Running a Windows-based vCenter at this time is essentially pointless and because of most using the vCSA there is going to be a (appropriate) lack of knowledge here on Windows. I'd suggest opening a support request.

Well, maybe in your case, but I have reasons to postpone the migration due to some specific software dependencies. until they are resolved. As far as I know, vCenter 6.5 windows-based is still actively developed. And I am aware of many people still running it. IWA functionality is not critical to me, I just wonder if there is a solution. But thanks for the opinion anyway 😉

0 Kudos
komanek
Enthusiast
Enthusiast

A good amount of people have had success with fixing this issue by setting an appropriate security GPO, as talked about here: Issues when using Windows Session Authentication

Thank you for the suggestion. It did not work in my case. Never mind, it is not critical to me, maybe later somebody will have the same problem and will be smarter than me to find a solution 🙂

0 Kudos
Tina07
VMware Employee
VMware Employee

This is a known issue affecting vCenter Server 6.5 U3 and 6.7 U3. Resolution available at failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"...​.

0 Kudos