VMware Cloud Community
dhchentw
Contributor
Contributor
‎09-25-2013 11:49 PM
Jump to solution

Newly deployed vCenter Server Appliance 5.5 failed to authenticate against AD on Windows 2008 R2


I deployed a whole new VCSA 5.5 to test its new feature. System joined AD successfully, and I can see and add users into data center using Web client. But if I want to login as AD user, Web Client always tells me "invalid credentials". Setting my AD domain as default domain does not work.

SSH into vcsa and examine SSO log in vmware-sts-idmd.log, it tells me:

2013-09-26 06:38:28,824 ERROR  [IdentityManager] Failed to authenticate principal [dhchen@example.com] for tenant [vsphere.local]

2013-09-26 06:38:28,825 ERROR  [ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]'

com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2334)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

        at java.lang.reflect.Method.invoke(Unknown Source)

        at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)

        at sun.rmi.transport.Transport$1.run(Unknown Source)

        at sun.rmi.transport.Transport$1.run(Unknown Source)

        at java.security.AccessController.doPrivileged(Native Method)

        at sun.rmi.transport.Transport.serviceCall(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

2013-09-26 06:38:28,826 INFO   [IdentityManager] Authentication failed for user [dhchen@example.com] in tenant [vsphere.local] in [32] milliseconds

anothor log vmware-identity-sts.log says:

[2013-09-26 06:39:02,431 tomcat-http--39  DEBUG com.vmware.identity.sts.InvalidCredentialsException] About to censor authentication failure

com.vmware.identity.sts.InvalidCredentialsException: IDM rejected authentication by UPN

        at com.vmware.identity.sts.auth.impl.UNTAuthenticator.authenticate(UNTAuthenticator.java:72)

        at com.vmware.identity.sts.auth.impl.CompositeAuthenticator.authenticate(CompositeAuthenticator.java:44)

        at com.vmware.identity.sts.auth.impl.CompositeAuthenticatorPerformanceDecorator$1.call(CompositeAuthenticatorPerformanceDecorator.java:54)

        at com.vmware.identity.sts.auth.impl.CompositeAuthenticatorPerformanceDecorator$1.call(CompositeAuthenticatorPerformanceDecorator.java:51)

        at com.vmware.identity.performanceSupport.PerformanceDecorator.exec(PerformanceDecorator.java:36)

        at com.vmware.identity.sts.auth.impl.CompositeAuthenticatorPerformanceDecorator.authenticate(CompositeAuthenticatorPerformanceDecorator.java:51)

        at com.vmware.identity.sts.impl.STSImpl.issue(STSImpl.java:126)

        at com.vmware.identity.sts.impl.MultiTenantSTSImpl.issue(MultiTenantSTSImpl.java:50)

        at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator$2.call(MultiTenantSTSImplPerformanceDecorator.java:89)

        at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator$2.call(MultiTenantSTSImplPerformanceDecorator.java:86)

        at com.vmware.identity.performanceSupport.PerformanceDecorator.exec(PerformanceDecorator.java:36)

        at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator.issue(MultiTenantSTSImplPerformanceDecorator.java:86)

        at com.vmware.identity.sts.ws.StsServiceImpl.issue(StsServiceImpl.java:148)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

        at java.lang.reflect.Method.invoke(Unknown Source)

        at com.sun.xml.ws.api.server.InstanceResolver$1.invoke(InstanceResolver.java:250)

        at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:150)

        at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:261)

        at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)

        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)

        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)

        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)

        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)

        at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)

        at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608)

        at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259)

        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:213)

        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)

        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194)

        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

Caused by: com.vmware.identity.sts.idm.InvalidCredentialsException: com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]

        at com.vmware.identity.sts.idm.impl.AuthenticatorImpl.authenticate(AuthenticatorImpl.java:88)

        at com.vmware.identity.sts.auth.impl.UNTAuthenticator.authenticate(UNTAuthenticator.java:64)

        ... 49 more

Caused by: com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]

        at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:97)

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2334)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

        at java.lang.reflect.Method.invoke(Unknown Source)

        at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)

        at sun.rmi.transport.Transport$1.run(Unknown Source)

        at sun.rmi.transport.Transport$1.run(Unknown Source)

        at java.security.AccessController.doPrivileged(Native Method)

        at sun.rmi.transport.Transport.serviceCall(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

        at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)

        at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)

        at sun.rmi.server.UnicastRef.invoke(Unknown Source)

        at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(Unknown Source)

        at java.rmi.server.RemoteObjectInvocationHandler.invoke(Unknown Source)

        at com.sun.proxy.$Proxy97.authenticate(Unknown Source)

        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:913)

        at com.vmware.identity.sts.idm.impl.AuthenticatorImpl.authenticate(AuthenticatorImpl.java:78)

        ... 50 more

[2013-09-26 06:39:02,433 tomcat-http--39  DEBUG com.vmware.identity.sts.ws.StsServiceImpl] com.vmware.identity.sts.InvalidCredentialsException: Invalid credentials

        at com.vmware.identity.sts.InvalidCredentialsException.buildPublic(InvalidCredentialsException.java:45)

        at com.vmware.identity.sts.ws.StsServiceImpl.issue(StsServiceImpl.java:152)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

        at java.lang.reflect.Method.invoke(Unknown Source)

        at com.sun.xml.ws.api.server.InstanceResolver$1.invoke(InstanceResolver.java:250)

        at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:150)

        at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:261)

        at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)

        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)

        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)

        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)

        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)

        at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)

Any Suggestions?

Tags (2)
1 Solution

Accepted Solutions
17 Replies
sanjeebkumar
VMware Employee
VMware Employee
‎09-26-2013 12:24 AM
Jump to solution

dhchentw

Are you facing this login issue for all active directory users added permission to your data-centers?



0 Kudos
dhchentw
Contributor
Contributor
‎09-26-2013 12:30 AM
Jump to solution

I've created a test user and  the same problem exists

0 Kudos
sanjeebkumar
VMware Employee
VMware Employee
‎09-26-2013 12:34 AM
Jump to solution

Is your Active directory user's  password has non-ascii character?

0 Kudos
dhchentw
Contributor
Contributor
‎09-26-2013 12:38 AM
Jump to solution

No, the password only has normal ASCII chars

0 Kudos
sanjeebkumar
VMware Employee
VMware Employee
‎09-26-2013 12:45 AM
Jump to solution

Could you please open a service request for vmware support staf on this, with all the logs uploaded to that?

0 Kudos
dhchentw
Contributor
Contributor
‎09-26-2013 12:54 AM
Jump to solution

I;ve opened service request several times and the experience is not good so I tried to ask the community first :smileysilly:

Anyway I'll fle a service request

0 Kudos
sanjeebkumar
VMware Employee
VMware Employee
‎09-26-2013 12:55 AM
Jump to solution

Please see this thread, looks like similar issue what you are facing.?

Re: VCSA5.5 Umlaut Problem?

0 Kudos
dhchentw
Contributor
Contributor
‎09-26-2013 01:06 AM
Jump to solution

Not exactly since the error message is not the same and I have no non-ascii group and no non-ascii username & password, and My user is in the administrators group only

0 Kudos
Mythoranium
Contributor
Contributor
‎09-26-2013 07:04 AM
Jump to solution

Hello!

I am facing the same problem. However, I am able to login via a test user. The test user is in the same primary group, but is not in many other groups my user is a member of. Some of these groups are in a directory that uses non-ascii symbols, so that could be part of the problem, but I have so far been unable to isolate the exact cause. I have tried moving the test user to other groups and directories (which have non-ascii symbols), but I think that vcenter might not notice the changes right away (I suppose it could use the same authentication tickets if I log off and log back in a short period of time)

0 Kudos
Mythoranium
Contributor
Contributor
‎09-27-2013 12:25 AM
Jump to solution

Just a small update:

After some more testing, it seems that this problem repeats itself as I expected yesterday — if any groups user belongs to (not just the primary group) has any non-ascii symbols either in their name, or in "Active Directory Folder", this user cannot log in.

0 Kudos
dhchentw
Contributor
Contributor
‎09-27-2013 01:04 AM
Jump to solution

My experience is: even if a test user only belongs to "Domain Users" group, it will fail. And my user belongs to groups which only has ASCII names

0 Kudos
Mythoranium
Contributor
Contributor
‎09-27-2013 04:38 AM
Jump to solution

Hi, dhchentw!

I did a bit more digging and it seems that (at least in my case) the problem arises because of non-ascii symbols in OU names, not group names. Could you please check what OUs the users are part of?

I also did a bit more searching for LW_ERROR_STRING_CONV_FAILED and judging by some Ubuntu related posts, it seems to be an error originating from likewise-open. It seems this is somehow connected to the system locale:

https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/719279

https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/598034

https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/794108/+activity

However, none of the workarounds proposed in those links are working for me.

0 Kudos
badazws6
Enthusiast
Enthusiast
‎09-27-2013 07:30 AM
Jump to solution

I was having a similar problem.  My problem seemed to resolve after I changed the primary group for the account.  Even after I changed it back to the original primary group it continues to work.

0 Kudos
dhchentw
Contributor
Contributor
‎09-30-2013 07:40 PM
Jump to solution

Just found out that if CN contains non-ascii chars, the authentication will fail but lw-find-user-by-name can get user info successfully. And tried every ways I could think to set locale for likewise and vmware-sts-idmd and still failed.

CN contains non-ascii chars is very common in the real world I think. This bug may prevent VCSA from gaining popularity

0 Kudos
ksram
VMware Employee
VMware Employee
‎09-30-2013 09:01 PM
Jump to solution

A fix has been posted in knowledge base article 2060873:VMware KB:    Unable to log in to vCenter Server Appliance 5.5 if username or group name contains le...

Thanks

Ram

ladavyl
Contributor
Contributor
‎09-30-2013 10:36 PM
Jump to solution

This solution works perfectly!

Thank you very much, Vladimir.

PS: VMware Support Request 13380631509 is solved.

0 Kudos
dhchentw
Contributor
Contributor
‎09-30-2013 10:50 PM
Jump to solution

It works, thanks. Before that, I tried set LANG to zh_TW.UTF-8 but failed.

0 Kudos