Connor4727
Contributor
Contributor

vCenter Domain Web Login

Hi All,

I am currently facing the following issue. I have setup a vCenter applience and have managed to join it to my AD domain and have given a user (me) the administrator permissions. However when i try to login to the webui with domain\(username) and the password it fails. But if i download the "Enhanced Authentication Plugin" on a domain PC logged in as the same domain user and tick "User windows authentication" i can access the webui with that account just fine.

Am i just forgetting to do something?

0 Kudos
10 Replies
Vijay2027
Expert
Expert

You will have to look at websso.log and ssoAdminserver.log (/var/log/vmware/sso) to understand the cause.

0 Kudos
Alex_Romeo
Leadership
Leadership

Hi,

Check with the attached document "Platform ServicesController Administration" (page 29  and  34 "Set the Default Domain for vCenter Single Sign-On")

and pag 23 (Log In to vCenter Server by Using the vSphere Client) the attached document "vCenter Server and HostManagement".

https://www.virtual-odyssey.com/2019/06/30/its-the-little-stuff-enable-active-directory-authenticati...

https://www.virten.net/2017/01/how-to-add-ad-authentication-in-vcenter-6-5/

-----

Remember this too:

VMware vSphere & Microsoft LDAP Channel Binding & Signing

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
Connor4727
Contributor
Contributor

I followed the first 2 links which is how i managed to get it join to the domain and do the permissions however no luck loggining in. However, if i log onto my domain pc and go to the web ui and click "Use Windows Authentication" it works but when i type the same details manually it doesn't work. Thats whats confusing me, becuase i know the domain and authentication is working as i have managed to login through automatically filling the info using windows authentication but when i manually enter a username and password it doesn't work.

0 Kudos
Alex_Romeo
Leadership
Leadership

you can post some pictures please.

Blog: https://www.aleadmin.it/
0 Kudos
Connor4727
Contributor
Contributor

This is what i get when i manually try and login with (domain)\(username) and password:

[2020-03-08T16:30:12.634Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa INFO  auditlogger] {"user":"WALKERS\\connor.walker","client":"172.16.16.100","timestamp":"03/08/2020 16:30:12 UTC","description":"User WALKERS\\connor.walker@172.16.16.100 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

[2020-03-08T16:30:12.634Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException

[2020-03-08T16:30:12.635Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: 401, message

This is what i get when i login with the domain pc and select "User Windows Authentication":

020-03-08T16:58:29.562Z  tomcat-http--44  834f2c7e-ebb6-4d7b-988b-9e5f9d85d361 INFO  com.vmware.identity.SsoController] Server SPN is HTTP/photon-machine.walkers.internal

[2020-03-08T16:58:29.563Z  tomcat-http--44  834f2c7e-ebb6-4d7b-988b-9e5f9d85d361 INFO  com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null

[2020-03-08T17:00:01.007Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_GB, tenant is vsphere.local

[2020-03-08T17:00:01.008Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa INFO  com.vmware.identity.SsoController] Request URL is https://172.16.16.161/websso/SAML2/SSO/vsphere.local

[2020-03-08T17:00:01.104Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _13590b797b3db7e058247742c7b213f8

[2020-03-08T17:00:01.116Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[2020-03-08T17:00:01.132Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[2020-03-08T17:00:01.136Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.SsoController] Server SPN is HTTP/photon-machine.walkers.internal

[2020-03-08T17:00:01.137Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null

[2020-03-08T17:00:38.489Z  tomcat-http--18  b301c6f1-bb1f-49e3-bfff-db7d3bb840e2 INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_GB, tenant is vsphere.local

[2020-03-08T17:00:38.489Z  tomcat-http--18  b301c6f1-bb1f-49e3-bfff-db7d3bb840e2 INFO  com.vmware.identity.SsoController] Request URL is https://172.16.16.161/websso/SAML2/SSO/vsphere.local

[2020-03-08T17:00:38.563Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _13590b797b3db7e058247742c7b213f8

[2020-03-08T17:00:38.574Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[2020-03-08T17:00:38.590Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[2020-03-08T17:00:38.625Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  auditlogger] {"user":"Connor.Walker@WALKERS.INTERNAL","client":"172.16.16.176","timestamp":"03/08/2020 17:00:38 UTC","description":"User Connor.Walker@WALKERS.INTERNAL@172.16.16.176 logged in with response code 200","eventSeverity":"INFO","type":"com.vmware.sso.LoginSuccess"}

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] create token spec for principal {Name: Connor.Walker, Domain: WALKERS.INTERNAL}

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] relying party url https://172.16.16.161/ui/saml/websso/metadata, identityFormat http://schemas.xmlsoap.org/claims/UPN

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] authn method KERBEROS session Session [id=_8c5b1bbdcc12c423f933523af7ba1afa, principalId={Name: Connor.Walker, Domain: WALKERS.INTERNAL}, expireDate=Mon Mar 09 01:00:38 UTC 2020, authnMethod=KERBEROS, logoutRequestData=null, extIDPSessionID=null, participants=[]]

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] inResponseTo _13590b797b3db7e058247742c7b213f8 recipient https://172.16.16.161/ui/saml/websso/sso

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] audience https://172.16.16.161/ui/saml/websso/metadata

0 Kudos
Connor4727
Contributor
Contributor

When i click Use Windows Session Authentication it auto fills the username and logs me in:

pastedImage_0.png

This is what it says when i input the username and password manually:

pastedImage_1.png

0 Kudos
Alex_Romeo
Leadership
Leadership

Hi,

you have to write it in this format: walkers@connor.walker

and don't select "User Windows session...."

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
Connor4727
Contributor
Contributor

Tried this and it just says "Invalid credentials"

0 Kudos
Alex_Romeo
Leadership
Leadership

Hi,

reset your browser cache and try logging in with the domain "administrator" user.

Administrator@connor.walker

Blog: https://www.aleadmin.it/
0 Kudos
Connor4727
Contributor
Contributor

Same message.

0 Kudos