I was successfully able to install my vCenter Server 5.5. For identity sources I have vsphere.local as default but I have also set-up AD (Integrated Windows Authentication) under configuration. I want to be able to log on using an AD account.
I am able to set vCenter Server permissions using the AD account (users / groups populate just fine from AD domain) and set it with role of Administrator. However I can't log on using the AD account to vCenter server. I keep getting that the username / password is incorrect though I know it isn't. Am I missing something? I have tried in context of
user itself but no go.
Any advise is greatly appreciated.
I fix issue with inventrory service. I use service from which I run all vsphere services e.g. SSO, Inventroy service and vCenter.
After change inventory service to "local system" account every thing starts to work fine.
Same here Gregorcy, that error comes up via web client. I have not tried the other guy's fix yet. I still would like to try Srinu's fix (replacing the dll which he will provide us with). Lets hang tight.
I am also seeing this problem. I would be happy to test the .dll file.
Will also look into other solutions, but I'm not making AD modifications at this time.
Found the Log File mentioned earlier. I have the AD Source as the Default yet I'm seeing it try to authenticate via vsphere.local
2013-09-25 13:18:33,774 ERROR [IdentityManager] Failed to find nested parent groups of principal [firstname.lastname@example.org] in tenant [vsphere.local]
2013-09-25 13:18:33,774 ERROR [ServerUtils] Exception 'java.lang.IllegalStateException: Invalid group name format for [\Authentication authority asserted identity]'
So, further testing of this. If I restart the VMware Identity Management Service and only use Windows Session Credentials. I can log in to vCenter from any domain machine.
if I attempt to log in from any non domain added system, say our OSX hosts using the awesome 5.5 built in OSX Web Client. It immediately states it cannot parse group information. Then I cannot log into vCenter from any of the places that worked before until the process is restarted.
When I am successfully logging in use Windows Session Credentials - the log shows:
2013-09-25 13:34:32,868 INFO [IdentityManager] Authentication succeeded for user [email@example.com] in tenant [vsphere.local] in  milliseconds
2013-09-25 13:35:31,087 INFO [IdentityManager] Authentication succeeded for user [firstname.lastname@example.org] in tenant [vsphere.local] in  milliseconds
2013-09-25 13:36:31,143 INFO [IdentityManager] Authentication succeeded for user [email@example.com] in tenant [vsphere.local] in  milliseconds
2013-09-25 13:37:31,284 INFO [IdentityManager] Authentication succeeded for user [firstname.lastname@example.org] in tenant [vsphere.local] in  milliseconds
2013-09-25 13:38:31,212 INFO [IdentityManager] Authentication succeeded for user [email@example.com] in tenant [vsphere.local] in  milliseconds
When I go to the OSX Machine and try to login:
2013-09-25 13:39:11,791 ERROR [ValidateUtil] resolved group name=[\Authentication authority asserted identity] is invalid: not a valid netbios name format
2013-09-25 13:39:11,791 INFO [ActiveDirectoryProvider] resolved group name=[\Authentication authority asserted identity] is invalid: not a valid netbios name format
Hope this helps.
JulcE_ALTSEC -> restarting the VMWare Identity Management Service also "fixes" the AD authentication for me as well. It seems that if I reboot the vCenter server (Windows Server 2012 Standard), I get the AD errors again until I manually restart that service. Very interesting. Hopefully whatever DLL we're waiting on resolves that - not that I restart my vCenter server often. Sorry I can't help with the OSX bit, just wanted to thank you for that help and confirm that it has "fixed" things for me.
As a side note: I also tried installing to 2012 R2 server, but the vCenter Server install gets hung up on "Installing Directory Service".
To clarify this issue exists the SSO/vcenter systems which are deployed on win2k12 machine and are joined to a win2k12 domain, and an identity source is setup to use Active Directory with windows authentication and you are using a domain user from the win2k12 domain to login. We are preparing a patch dll which contains the fix and will put up a kb article with the patch dll attached. We will put a kb article which will contain the patch dll with the instructions on how to apply this patch within 12-24 hours. Sorry for the delayed response and thanks for being patient.
Here is the link to the kb article id: 2060901 which contains the patch dll, and the instructions to patch the Single Sign-On server, You should be able to search/lookup for the article at kb.eng.vmware.com
Glad to know this issue is finally solved.
Cheers guys. And good job Srinu
The patch worked great, and I'm able to authenticate, but now I'm getting the same "client is not authenticated to vmware inventory service" referenced above. My Inventory Service is running as Local System, but I tried using the vCenter service account as well with no effect. Any ideas as to what I should try next?
for "client is not authenticated to vmware inventory service" try this KB VMware KB: Re-pointing and re-registering VMware vCenter Server 5.x and components