Help Folks, i have been scratching my Head for 4 days now.

Environment

DC - 2012

Vcac-appliance 6.2

identity appliance 6.2

IAAS services on windows 2012

also Tried sso with vcenter sso no luck.

this is a new environment

the Good :- I can login to default tenant with admin account and any domain account that i add access to.

the BAD

Any new tenants i create i am unable to login into

i get the error

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

- I have tried rebuilding atleast 10 times ( about to give up on VCAC and start learning IAC :-/)  - ( ran the 6.2 prereq script everytime)

-all Servers are NTP synched no time delay .

-ALL DNS entries are in place with forward and reverse lookups.

-all 28 services show as registered in VCAC appliance

-no errors in catalina.out on vcac appliance

- although i am logging in to a tenant link https://vcac-iaas/shell-ui-app/labs  - ( labs is my tenant)

catalina.out shows tenant="vspehre.local"

2015-01-22 01:22:13,915 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--8" tenant="vsphere.local"] com.vmware.identity.websso.client.MessageStoreImpl.add:221 - New MessageStore entry added:%s , store size: %s

2015-01-22 01:22:30,276 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.endpoint.SsoResponseListener.consumeResponse:77 - You have POST'ed to Websso client library!

2015-01-22 01:22:30,276 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.validate:72 - Validating SAMLResponse..

2015-01-22 01:22:30,303 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.ValidationState.validateDestination:64 - Validating request destination: HttpservletRequest destination=https://vcac-app.ten.local/vcac/saml/websso/ssoSAML message destination=https://vcac-app.ten.local/vcac/saml/websso/sso

2015-01-22 01:22:30,303 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.validateInResponseTo:158 - Validating optional request ID: _cc2719796497ca852f426b742b4a79fe

2015-01-22 01:22:30,303 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.validateAssertion:180 - Validating assertion..

2015-01-22 01:22:30,304 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SamlUtils.getIDPCertByIssuer:944 - Getting IDP config for:https://vcac-id.ten.local:7444/websso/SAML2/Metadata/vsphere.local

2015-01-22 01:22:30,304 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SamlUtils.validateRequestSignature:597 - Verifying SAML message signature..

2015-01-22 01:22:30,305 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.parseAssertion:247 - Parsing assertion..

2015-01-22 01:22:30,317 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.parseAssertion:319 - NameID: Administrator@ten.local

2015-01-22 01:22:30,318 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.parseAssertion:320 - NameIDFormat: http://schemas.xmlsoap.org/claims/UPN

2015-01-22 01:22:30,318 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.validateAssertion:231 - Successfully validated SSO Assertion

2015-01-22 01:22:30,319 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.SsoValidationState.validate:105 - Successfully validated received SAMLResponse

2015-01-22 01:22:30,319 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.identity.websso.client.MessageStoreImpl.add:221 - New MessageStore entry added:%s , store size: %s

2015-01-22 01:22:31,477 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate:467 - Successfully acquired token for user: {Name: Administrator, Domain: ten.local}

2015-01-22 01:22:32,036 vcac: [component="cafe:shell" priority="INFO" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.renewToken:531 - Successfully renewed token for user: {Name: Administrator, Domain: ten.local}

I have tried starting the deafult website using my Vcac-service account ( in IIS manager).

- all certs are self-signed

-identitiy stores are configured properly and working for default tenant

-All VMs run on SSDs no IOPS isssue.

-all licenses have been configured.

- NO errors in IIS logs

-MSDTC no errors or issues

-MSDTC running on both SQL server and IAAS server

-MSDTC authentication set to Mutual authentication ( also tried no authentication)

when i try to goto browser https://fqdnofiaas/vcac(shell-ui-app) (from the localhost or IAAS server) i get

you have no authority to view this page. the system logs all attempts at inappropriate access.

i Suspect the issue to be an IIS misconfig or Bug any advise?

Thx