we have followed the KB to add domain into indentity source but the issue persists. My colleague who upgraded vcenter can login.

The wired thing I found is that if add my domain account into the vcenter permission directly, I can login. If add the domain group which my account belongs to, I cannot!

one more thing, I can only login by checking the "use windows session credentials" , however, input domian name\user account does not work. is that a bug...

New users given permission to  vCenter are unable to login.  It says "Cannot complete login due to an incorrect user name and passwor."  I know I'm typing the correct username and password.

the issue was solved.

you must configure the domain group through web client, go to SSO users and groups->_administrators_, add the domain group which you want to be vcenter administrators.

it doesn't work if you just add the domain group into vcenter permission!

seems the SSO has some special mechanisms...

I only see SSO users and groups with the admin@system-domain account.  Should see sso users and groups with my regular domain account?

Thanks for the help

Ok I see it under my domain account because I added domain admins to the administrators group.  I'm still unable to get my test account to log in correctly.  It still says, "Cannot complete login due to an incorrect user name or password."  I know it is right I've reset it multiple times.  I'm unable to have success with newly assigned permissions to accounts.  The accounts that already had access permission are ok.

Thanks.

It's thinks the Domain User account is a system-domain account.  I made change to the account under SSO Users and Groups and it says the specified principle ({Name: frog, Domain: System-Domain}) is invalid.

Hi, Did you ever resolve your issue?

I have the same thing, new AD domain users cannot log in, exsisting AD domain users are ok (until they are removed and readded).

I have the AD domain displaying propley, and can browse it ok, add the users ok, but then they cannot log in.

I have picked through all the logs I can see, and the domain was susessfully found and setup at install.

Thanks,

I had to do uninstall everything and do a reinstall.  During the install make sure to let the installer create the DB accounts for the SSO DB (RSA) and do not use domain credentials. There is a bug with the SSO installer.  The section of the install I'm referring about is when you have to enter the name of the DB (RSA) and users (RSA_User and RSA_DB).

Hope this helps.

Sunshine

Thanks, Im going to give it a try, just rolled back the install, so let hope it works this time.

Yeah I'm rolling back to 5.0 U1 over the weekend.  5.1 is to buggy for me now.  Converter is broke with 5.1 too.  VMware needs to warn users that this is a major upgrade.  I will hold off with 5.1 for a bit and let everybody else endure the pain of 5.1.

What a pain in the kester.  Lesson learned here.

Sunshine

it seems problems here and there after upgrade to 5.1...

though we have it work on test environment now, we will postpone to upgrade it in our production environment.

I fixed it and am now able to log in using the "Use Windows Session credentials."  After digging through log files I figured out the problem was that the SSL certificate used by the SSO service (port 7444) didn't match the hostname of the machine, so I must have changed the hostname of the machine at some point.  I generated my own SSL cert with openssl and installed it with:

# vpxd_servicecfg certificate change /root/newcert/vc.crt /root/newcert/vc.key

(After doing that, I found that you can just regenerate SSL certs automatically from within vcenter: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203333... Short version - log in to the server appliance control panel on https://host:5480/ and go to the admin tab and make sure "Certificate regeneration enabled" is set to "yes." 

After the SSL stuff was resolved, everything worked.  Too bad it took 6 hours.