I deployed a whole new VCSA 5.5 to test its new feature. System joined AD successfully, and I can see and add users into data center using Web client. But if I want to login as AD user, Web Client always tells me "invalid credentials". Setting my AD domain as default domain does not work.
SSH into vcsa and examine SSO log in vmware-sts-idmd.log, it tells me:
2013-09-26 06:38:28,824 ERROR [IdentityManager] Failed to authenticate principal [dhchen@example.com] for tenant [vsphere.local]
2013-09-26 06:38:28,825 ERROR [ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]'
com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2334)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2013-09-26 06:38:28,826 INFO [IdentityManager] Authentication failed for user [dhchen@example.com] in tenant [vsphere.local] in [32] milliseconds
anothor log vmware-identity-sts.log says:
[2013-09-26 06:39:02,431 tomcat-http--39 DEBUG com.vmware.identity.sts.InvalidCredentialsException] About to censor authentication failure
com.vmware.identity.sts.InvalidCredentialsException: IDM rejected authentication by UPN
at com.vmware.identity.sts.auth.impl.UNTAuthenticator.authenticate(UNTAuthenticator.java:72)
at com.vmware.identity.sts.auth.impl.CompositeAuthenticator.authenticate(CompositeAuthenticator.java:44)
at com.vmware.identity.sts.auth.impl.CompositeAuthenticatorPerformanceDecorator$1.call(CompositeAuthenticatorPerformanceDecorator.java:54)
at com.vmware.identity.sts.auth.impl.CompositeAuthenticatorPerformanceDecorator$1.call(CompositeAuthenticatorPerformanceDecorator.java:51)
at com.vmware.identity.performanceSupport.PerformanceDecorator.exec(PerformanceDecorator.java:36)
at com.vmware.identity.sts.auth.impl.CompositeAuthenticatorPerformanceDecorator.authenticate(CompositeAuthenticatorPerformanceDecorator.java:51)
at com.vmware.identity.sts.impl.STSImpl.issue(STSImpl.java:126)
at com.vmware.identity.sts.impl.MultiTenantSTSImpl.issue(MultiTenantSTSImpl.java:50)
at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator$2.call(MultiTenantSTSImplPerformanceDecorator.java:89)
at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator$2.call(MultiTenantSTSImplPerformanceDecorator.java:86)
at com.vmware.identity.performanceSupport.PerformanceDecorator.exec(PerformanceDecorator.java:36)
at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator.issue(MultiTenantSTSImplPerformanceDecorator.java:86)
at com.vmware.identity.sts.ws.StsServiceImpl.issue(StsServiceImpl.java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.xml.ws.api.server.InstanceResolver$1.invoke(InstanceResolver.java:250)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:150)
at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:261)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:213)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194)
at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: com.vmware.identity.sts.idm.InvalidCredentialsException: com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]
at com.vmware.identity.sts.idm.impl.AuthenticatorImpl.authenticate(AuthenticatorImpl.java:88)
at com.vmware.identity.sts.auth.impl.UNTAuthenticator.authenticate(UNTAuthenticator.java:64)
... 49 more
Caused by: com.vmware.identity.idm.IDMLoginException: Native platform error [code: 40067][LW_ERROR_STRING_CONV_FAILED][Failed to convert string format (wide/ansi)]
at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:97)
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2334)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(Unknown Source)
at java.rmi.server.RemoteObjectInvocationHandler.invoke(Unknown Source)
at com.sun.proxy.$Proxy97.authenticate(Unknown Source)
at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:913)
at com.vmware.identity.sts.idm.impl.AuthenticatorImpl.authenticate(AuthenticatorImpl.java:78)
... 50 more
[2013-09-26 06:39:02,433 tomcat-http--39 DEBUG com.vmware.identity.sts.ws.StsServiceImpl] com.vmware.identity.sts.InvalidCredentialsException: Invalid credentials
at com.vmware.identity.sts.InvalidCredentialsException.buildPublic(InvalidCredentialsException.java:45)
at com.vmware.identity.sts.ws.StsServiceImpl.issue(StsServiceImpl.java:152)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.xml.ws.api.server.InstanceResolver$1.invoke(InstanceResolver.java:250)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:150)
at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:261)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)
Any Suggestions?
A fix has been posted in knowledge base article 2060873:VMware KB: Unable to log in to vCenter Server Appliance 5.5 if username or group name contains le...
Thanks
Ram
Are you facing this login issue for all active directory users added permission to your data-centers?
I've created a test user and the same problem exists
Is your Active directory user's password has non-ascii character?
No, the password only has normal ASCII chars
Could you please open a service request for vmware support staf on this, with all the logs uploaded to that?
I;ve opened service request several times and the experience is not good so I tried to ask the community first :smileysilly:
Anyway I'll fle a service request
Please see this thread, looks like similar issue what you are facing.?
Not exactly since the error message is not the same and I have no non-ascii group and no non-ascii username & password, and My user is in the administrators group only
Hello!
I am facing the same problem. However, I am able to login via a test user. The test user is in the same primary group, but is not in many other groups my user is a member of. Some of these groups are in a directory that uses non-ascii symbols, so that could be part of the problem, but I have so far been unable to isolate the exact cause. I have tried moving the test user to other groups and directories (which have non-ascii symbols), but I think that vcenter might not notice the changes right away (I suppose it could use the same authentication tickets if I log off and log back in a short period of time)
Just a small update:
After some more testing, it seems that this problem repeats itself as I expected yesterday — if any groups user belongs to (not just the primary group) has any non-ascii symbols either in their name, or in "Active Directory Folder", this user cannot log in.
My experience is: even if a test user only belongs to "Domain Users" group, it will fail. And my user belongs to groups which only has ASCII names
Hi, dhchentw!
I did a bit more digging and it seems that (at least in my case) the problem arises because of non-ascii symbols in OU names, not group names. Could you please check what OUs the users are part of?
I also did a bit more searching for LW_ERROR_STRING_CONV_FAILED and judging by some Ubuntu related posts, it seems to be an error originating from likewise-open. It seems this is somehow connected to the system locale:
https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/719279
https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/598034
https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/794108/+activity
However, none of the workarounds proposed in those links are working for me.
I was having a similar problem. My problem seemed to resolve after I changed the primary group for the account. Even after I changed it back to the original primary group it continues to work.
Just found out that if CN contains non-ascii chars, the authentication will fail but lw-find-user-by-name can get user info successfully. And tried every ways I could think to set locale for likewise and vmware-sts-idmd and still failed.
CN contains non-ascii chars is very common in the real world I think. This bug may prevent VCSA from gaining popularity
A fix has been posted in knowledge base article 2060873:VMware KB: Unable to log in to vCenter Server Appliance 5.5 if username or group name contains le...
Thanks
Ram
This solution works perfectly!
Thank you very much, Vladimir.
PS: VMware Support Request 13380631509 is solved.
It works, thanks. Before that, I tried set LANG to zh_TW.UTF-8 but failed.