D3m4dm
Contributor
Contributor

VCSA 6.7U1 AD Login not possible anymore

Hi all,

I've got an VCSA 6.7u1 11726888. Installed in January 2019. I joined directly to a Windows Domain and added the Identity.

Everything works fine up to now.

If I want to login with AD Credentials I get the error: Invalid Credentials.

Login with vsphere.local User works fine.

Leave the Domain and Join again did not solve the problem.

In the Firewall is nothing blocked to the Domain.

dig SRV _ldap._tcp.my.domain locks also very good

Does anyone have an idea?

Alexander

0 Kudos
22 Replies
Gidrakos
Hot Shot
Hot Shot

I ran into something similar - did you upgrade/convert from a vCenter to VCSA?

Have you tried the new, embedded Windows authentication? For a while, I was able to get that working but not putting in AD credentials manually.

You can get a bit more detail on joining the domain and controlling Identity Sources by using the VCSA terminal. The tools are in /opt/likewise/bin.

0 Kudos
D3m4dm
Contributor
Contributor

It was an fresh installation in January and no Upgrade.

I joined the domain with /opt/likewise/bin/domainjoin-cli join

And in the vCenter under configuration--> AD Domain everything looks fine. Than added the Identity source and reboot, but nothing works now.

As I sad. From January up to yesterday everything works fine and without changes it doesn't work now.

I can't test the embedded Windows auth because my client is not in the same Doamin.

0 Kudos
IRIX201110141
Virtuoso
Virtuoso

Just to be clear

- You succesfully joined VCSA to your Windows AD

- You rebootet the VCSA

and than you have grand permissions to the user accounts/groups you would like to use within vCenter?

Btw: VMware Support suggest to use the LDAP to WindowsAD rather than the direct WindowsAD integration when we got Problems last time.

Regards

Joerg

0 Kudos
D3m4dm
Contributor
Contributor

Absolutely right

0 Kudos
Alex_Romeo
Leadership
Leadership

Hi,

https://www.virten.net/2017/01/how-to-add-ad-authentication-in-vcenter-6-5/

Alessandro Romeo

Blog: https://www.aleadmin.it/
0 Kudos
D3m4dm
Contributor
Contributor

The Connection to the Domaincontrollers works fine.

I can add new User Permissions and the Domain search for users works also.

So the connection is good.

0 Kudos
sjesse
Leadership
Leadership

What permissions did you give the user you are using to login with?

0 Kudos
D3m4dm
Contributor
Contributor

The Administrator Role in global Permissions

0 Kudos
sjesse
Leadership
Leadership

Don't do global permission, go to the single sign on section, and user and groups. and under groups add your user to administrators. Putting users in that group takes care of the permissions.

0 Kudos
Alex_Romeo
Leadership
Leadership

HI,

In administration in the Users and Groups section have you enabled SSO access to the user?

Blog: https://www.aleadmin.it/
0 Kudos
D3m4dm
Contributor
Contributor

sjesse

I put the user there also in the admin group but it doesnt work.

AlessandroRomeo68

What do you mean exactly?

0 Kudos
sjesse
Leadership
Leadership

We will probably need screenshots of all the parts, or you should open an SR and have support look. All you really need to do is what you say you've done to get AD to work.

0 Kudos
Gidrakos
Hot Shot
Hot Shot

As we're discussing roughly the same thing here: Cannot login to vCenter 6.7u2 with Domain Credentials

I'd suggest using the CLI to leave the domain, remove the server from AD completely, and use CLi to re-join. Check your websso and ssoAdminServer logs to see what errors are popping up if/when a user is denied access.

0 Kudos
D3m4dm
Contributor
Contributor

Now I created a new Domain User and gave him the admin role on the top of vcenter.

If i want to login i get the following in websso.log

[2019-08-30T15:17:15.016+02:00 tomcat-http--4                                                           INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is de, tenant is vsphere.local

[2019-08-30T15:17:15.016+02:00 tomcat-http--4                                                           INFO  com.vmware.identity.SsoController] Request URL is https://vc-01.XX.local/websso/SAML2/SSO/vsphere.local

[2019-08-30T15:17:15.054+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[2019-08-30T15:17:15.060+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[2019-08-30T15:17:30.665+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [XX\YY] for tenant [vsphere.local]

com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 851968][null][null]

        at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.AuthenticateByPassword(LinuxIdmNativeAdapter.java:188) ~[vmware-identity-platform-7.0.0.jar:?]

        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.authenticate(ActiveDirectoryProvider.java:289) ~[vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2990) [vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9752) [vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) [vmware-identity-idm-client-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:95) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:119) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:40) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]

        at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:85) [websso-7.0.0.jar:?]

        at com.vmware.identity.SsoController.sso(SsoController.java:100) [websso-7.0.0.jar:?]

        at sun.reflect.GeneratedMethodAccessor206.invoke(Unknown Source) ~[?:?]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]

        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [servlet-api.jar:?]

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:49) [websso-7.0.0.jar:?]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.diagnostics.STSLogDiagnosticsFilter.doFilter(STSLogDiagnosticsFilter.java:87) [vmware-identity-diagnostics-7.0.0.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.32]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.32]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.32]

        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.32]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.32]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2019-08-30T15:17:30.673+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 INFO  com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[SimpleMessage[message=Failed to authenticate principal [XX\YY]. Native platform error [code: 851968][null][null]]], detailText=[Native platform error [code: 851968][null][null]], corelationId=[bc5328b5-b79e-45cf-a438-b21b5c9d0276], timestamp=[1567171050673]

[2019-08-30T15:17:30.673+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [XX\YY]. Native platform error [code: 851968][null][null]

com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 851968][null][null]

        at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.AuthenticateByPassword(LinuxIdmNativeAdapter.java:188) ~[vmware-identity-platform-7.0.0.jar:?]

        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.authenticate(ActiveDirectoryProvider.java:289) ~[vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2990) [vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9752) [vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) [vmware-identity-idm-client-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:95) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:119) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:40) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]

        at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:85) [websso-7.0.0.jar:?]

        at com.vmware.identity.SsoController.sso(SsoController.java:100) [websso-7.0.0.jar:?]

        at sun.reflect.GeneratedMethodAccessor206.invoke(Unknown Source) ~[?:?]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]

        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [servlet-api.jar:?]

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:49) [websso-7.0.0.jar:?]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.diagnostics.STSLogDiagnosticsFilter.doFilter(STSLogDiagnosticsFilter.java:87) [vmware-identity-diagnostics-7.0.0.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.32]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.32]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.32]

        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.32]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.32]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2019-08-30T15:17:30.675+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 INFO  com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [XX\YY] in tenant [vsphere.local] in [15614] milliseconds with provider [XX.local] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]

[2019-08-30T15:17:30.675+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968][null][null]'

com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968][null][null]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3100) ~[vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9752) [vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) [vmware-identity-idm-client-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:95) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:119) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:40) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]

        at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:85) [websso-7.0.0.jar:?]

        at com.vmware.identity.SsoController.sso(SsoController.java:100) [websso-7.0.0.jar:?]

        at sun.reflect.GeneratedMethodAccessor206.invoke(Unknown Source) ~[?:?]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]

        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [servlet-api.jar:?]

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:49) [websso-7.0.0.jar:?]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.diagnostics.STSLogDiagnosticsFilter.doFilter(STSLogDiagnosticsFilter.java:87) [vmware-identity-diagnostics-7.0.0.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.32]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.32]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.32]

        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.32]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.32]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2019-08-30T15:17:30.676+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.

com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968][null][null]

        at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:123) ~[vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9756) ~[vmware-identity-idm-server-7.0.0.jar:?]

        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) ~[vmware-identity-idm-client-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:95) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:119) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:40) [websso-7.0.0.jar:?]

        at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]

        at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:85) [websso-7.0.0.jar:?]

        at com.vmware.identity.SsoController.sso(SsoController.java:100) [websso-7.0.0.jar:?]

        at sun.reflect.GeneratedMethodAccessor206.invoke(Unknown Source) ~[?:?]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]

        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [servlet-api.jar:?]

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:49) [websso-7.0.0.jar:?]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at com.vmware.identity.diagnostics.STSLogDiagnosticsFilter.doFilter(STSLogDiagnosticsFilter.java:87) [vmware-identity-diagnostics-7.0.0.jar:?]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.32]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.32]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.32]

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.32]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.32]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.32]

        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.32]

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) [tomcat-coyote.jar:8.5.32]

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.32]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.32]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2019-08-30T15:17:30.677+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException

[2019-08-30T15:17:30.677+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 INFO  com.vmware.identity.samlservice.impl.SAMLAuthnResponseSender] Responded with ERROR 401 message Falscher Benutzername/falsches Kennwort

[2019-08-30T15:17:30.677+02:00 tomcat-http--4 vsphere.local        bc5328b5-b79e-45cf-a438-b21b5c9d0276 INFO  com.vmware.identity.BaseSsoController] End processing SP-Initiated SSO response. Session was created.

0 Kudos
Alex_Romeo
Leadership
Leadership

Hi,

try to verify this setting:

To resolve this issue, uncheck  the option "Do not require Kerberos preauthentication" flag from Active Directory.

VMware Knowledge Base

Alessandro Romeo

Blog: https://www.aleadmin.it/
0 Kudos
D3m4dm
Contributor
Contributor

This option is not set at my AD.

The Domain login to other vcenter works as well

0 Kudos
thomsonacvs
Contributor
Contributor

Did you ever solve this?

0 Kudos
Alex_Romeo
Leadership
Leadership

Hi,

I mean this:

pastedImage_0.png

by the "+" symbol add the domain that users can access.

Authenticate to vCenter from Active Directory credentials -

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
mrbassplayer_co
Contributor
Contributor

I'm currently going through a wildly similar issue.

Currently running 6.7.0.40000 (Build: 14367737).

Upgraded from 6.5 to 6.7 over the summer (6.7.0.32000 (Build: 14070457)).

Issue didn't until months later when I needed to reboot.

The issue may have been there the whole time but the reboot set this all in motion.

The thing that stands out to me is the "Global Permissions" part.

I have never needed to touch Global Permissions until I upgraded to 6.7 where it seems that Content Library permissions were moved up there.

Following the upgrade, I wasn't able to access my content library even though I was an "administrator"

Once I made my AD group "Content Library Administrator" things were working again.

Months later, I needed to reboot my vCenter and that's when the problems started for me.

I opened and SR and working with the engineer, it seems that the global permissions didn't add to my existing permissions but replaced them. So since I was only a "Content Library Admin", I had zero permissions to everything else in the vCenter.

Message I get in the GUI

“Unable to login because you do not have permission on any vCenter Server systems connected to this client. Back to login screen“

Message I get in PowerCLI

PS C:\> connect-viserver -Server vCenterServer -Credential $credv

connect-viserver : 12/31/2019 12:05:57 PM       Connect-VIServer                Permission to perform this operation was denied. Required privilege 'System.View' on managed object with id 'Folder-group-d1'.

At line:1 char:1

+ connect-viserver -Server vCenterServer -Credential $credv

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], NoPermission

    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_SoapException,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

Sometimes I would reboot the vCenter and my domain credentials would work but I still could not log in via PowerCLI. I'd get this error, instead.

PS C:\> connect-viserver -Server vCenterServer -Credential $credv

connect-viserver : Value cannot be null.

Parameter name: source

At line:1 char:1

+ connect-viserver -Server vCenterServer -Credential $credv

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], ArgumentNullException

    + FullyQualifiedErrorId : System.ArgumentNullException,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

I tried the domainjoin-cli recommendations. No improvement. Issue not improved.

Also said this is only occurring on one vCenter. My issue may be existing on all my vCenters. I just haven't rebooted them which seems to be the last thing to set this issue in motion.

I'm still working with VMware. Actually referenced this thread in my ticket.

They think there is a possibility of a bug at work.

Hope this extra data point is useful to someone.

Thanks

Jason

0 Kudos