Enthusiast
Enthusiast

Windows Session Authentication with vCAC 6.0.x Fails with "Windows Session Authentication login has failed as a result of an erorr caused by the VMware Client Integration"

I've attempted to use the "use Windows session authentication" checkbox to log in a user to vCAC using Native Active Directory, but whenever I submit the login, I instantly receive the error "Windows Session Authentication login has failed as a result of an erorr caused by the VMware Client Integration" (and yes the error message actually uses "erorr"). I've checked the logs on the SSO server and from what I can tell, an authentication requests is never received...so it almost seems that the failure is at the client. The client is using IE9 with the vSphere Client Integration Plugin 5.5.0. Has anyone used this feature successfully? Am I missing something?

0 Kudos
23 Replies
Commander
Commander

You're not missing anything. That won't work at the moment. I have a vague idea that it's related to the fact that vCAC uses WebSSO rather than the Lookup Service but don't actually know that for sure.

Grant

Grant http://grantorchard.com
0 Kudos
Contributor
Contributor

I am seeing the same issue.  Do you know of a solution for this issue?

0 Kudos
Commander
Commander

I'm hoping it's sorted for 6.1 Will do some digging.

Grant

Grant http://grantorchard.com
0 Kudos
Contributor
Contributor

6.0.1.1 was releases yesterday and this is in the release notes:

  • Windows session authentication login fails and an error message is displayed because of VMware Client Integration Plug-in
    If you attempt to use the Windows session authentication feature, it fails and an error message Windows Session Authentication login as failed as a result of an error caused by the VMware Client Integration Plugin is displayed. This issue occurred in Google Chrome 31.0.1650.63, Internet Explorer 9, and Firefox 25.0.1.This issue has been fixed in this release for Google Chrome and Firefox browsers.
Virtuoso
Virtuoso

I'm not sure about anybody else, but with Firefox 29.0... I'm still getting that error. Going to open an SR on Monday and try and figure out what the heck. Wondering if the version of the client integration package matters....

-Steve
0 Kudos
Enthusiast
Enthusiast

We have had an open SR with VMware on this exact issue for 2 months now and there is no resolution as of yet. We have done extensive troubleshooting, including having a team of vCAC/SSO developers debugging the vCAC javascript with me live. I've found this to be very frustrating and am disappointed that such a seemingly minor issue can not be easily resolved. If anyone else has any additional insight into this issue it would be appreciated.

Thanks,

Tim

0 Kudos
Enthusiast
Enthusiast

I feel your pain , I am having the same issue and going the route of upgrading VCENTER to the latest build , but I am seeing your issue and it makes me wonder if it will work when it is upgraded

0 Kudos
Enthusiast
Enthusiast

The Windows Session Authentication issues have all been resolved with the latest vCAC Identity appliance (2.0.1.3) release as well as the latest vCenter 5.5 Update 1c SSO release. You will need to make sure after you upgrade you SSO servers that you install the latest client integration plug-in to support the session authentication. I have tested it successfully with the vCAC Identity appliance 2.0.1.3. I have yet to test the Windows vCenter SSO 5.5 U1c, but based on the release notes (vCenter Server 5.5 Update 1c Release Notes), everything should be resolved.

Message was edited by: Steven Bright Updated the post with the correct appliance version.

Enthusiast
Enthusiast

Ok thanks , this is a big deal around here !!

so what is the BEST  how to docs for upgrading Vcenter 5.5.039885 to this "vCenter 5.5 Update 1c SSO release" can this be done first with out doing the "vCAC SSO appliance (6.0.1.2)" first? I am sure I can google it , but I wanted to know what documetn YOU would use Steven, and the order you would do them in


thanks for all your help !!!!!!!!!!!!!!!!!!!!!!!Smiley Happy

0 Kudos
Enthusiast
Enthusiast

We have been running 2.0.1.2 on our vCAC Identity appliance for a while and this has NOT resolved this issue. I even just updated to 2.0.1.3 and still has not resolved it. Our vCAC app appliance is 6.0.1.1 and there are no updates available for that.

0 Kudos
Enthusiast
Enthusiast

Timjh,

Based on your response I checked my versions and it appears that I mispoke in my previous post. I am running VMware vCAC Identity Appliance 2.0.1.3 Build 1942139 with the following:

VMware Client Integration Plug-in 5.5.0 version 5.5.0.1879803

VMware vCAC Appliance 6.0.1.1 Build 1768531 (as listed on the System tab in the appliance configuration...I believe in vCAC GUI it lists Build 6.0-1720522)

My apologies. I hope this helps!

0 Kudos
Enthusiast
Enthusiast

thanks so much for this I am going to try to replicate your exact config to get this working

0 Kudos
Enthusiast
Enthusiast

VERSIONS :what I have ------> and what I am going to

vCenter 5.5.0 U1c build 1945274---------> no change

VCAC ID appliance 2.0.1.2 Build 1748175 ---------------> 2.0.1.3 build 1942139


Client integration plugin 5.5.0 1280541 -------------------> 5.5.0 1879803


VCAC appliance  6.0.1.1 build 1768531  -----------------> no change



comments are welcome and encouraged !

0 Kudos
Enthusiast
Enthusiast

Sorry for the thread necro but did you manage to resolve the issue?

0 Kudos
Enthusiast
Enthusiast

I know you weren't asking me but since I have the same issue I'll tell you that no, the case is still open with VMware and we are no closer to getting it resolved. The SR has been opened for about 3 months and this is a major FAIL on VMware's part IMO, that they can't figure this out and get it working for us after all this time.

0 Kudos
Virtuoso
Virtuoso

I went through my own fair share of dealing with this, and what ended up being the answer was this: http://kb.vmware.com/kb/2090617

Basically, the FQDN I was using for my Identity Appliance didn't match the name in AD, so adding the correct SPN value fixed it right up.

-Steve
0 Kudos
Enthusiast
Enthusiast

Ah, that's interesting.

In our case we aren't using the identity appliance, instead we use the vCenter SSO service in order to get fully transparent credentials.But in retrospect that makes no sense, as there's no credentials passthrough between vCAC and VCO/vCenter (afaik).

0 Kudos
Enthusiast
Enthusiast

Since my last post I've successfully been able to athenticate into vCAC using Current Windows session authentication with the following configurations/versions:


VMware vCAC Identity Appliance 2.0.1.3 Build 1942139

VMware Client Integration Plug-in 5.5.0 version 5.5.0.1879803

VMware vCAC Appliance 6.0.1.1 Build 1768531

Internet Explorer 9 on Windows 7 Enterprise SP1 (I didn't have access to Firefox at the time to test)

VMware vSphere SSO  5.5 Update 1c

VMware Client Integration Plug-in 5.5.0 version 5.5.0.1879803

VMware vCAC Appliance 6.0.1.1 Build 1768531

Internet Explorer 9 on Windows 7 Enterprise SP1 (I didn't have access to Firefox at the time to test)

VMware vCAC Identity Appliance 2.0.1.3 Build 1942139

VMware Client Integration Plug-in 5.5.0 version 5.5.0.1896808

VMware vCAC Appliance 6.0.1.1 Build 1768531

Internet Explorer 9 and Firefox 32 on Windows 7 Enterprise SP1

VMware vSphere SSO  5.5 Update 1c

VMware Client Integration Plug-in 5.5.0 version 5.5.0.1896808

VMware vCAC Appliance 6.0.1.1 Build 1768531

Internet Explorer 9 and Firefox 32 on Windows 7 Enterprise SP1

In the next 1-2 months I'll be testing the above with vSphere SSO 5.5 U2b as well as vCAC 6.1.

0 Kudos
Virtuoso
Virtuoso

I'm not sure what you mean by "fully transparent credentials", but... ok! I opted against using vSphere SSO specifically because the whole thing isn't necessarily transparent and there always seems to be little gotchas when components get upgraded. In my opinion, it's bad juju, and I didn't see any net gain by using vSphere SSO.

-Steve
0 Kudos