1 2 Previous Next 16 Replies Latest reply on Nov 8, 2016 4:12 PM by VincentArriola

    vCenter web Client 5.5 fails to log in using Active Directory

    HobertB Lurker

      I installed vCenter Web Client on one host and Active Directory(Windows 2008 R2) on another host. I was able to add the identity source successfully without any errors. However, when I log in I get the following exception on the web client:

       

      "The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source."

       

      The vmware-sts-idmd logs show the follow:

       

      2014-01-30 10:08:07,071 INFO   [IdentityManager] Authentication failed for user [administrator@xxx.nn.nn.nn] in tenant [vsphere.local] in [1] milliseconds

      2014-01-30 10:08:14,996 INFO   [IdentityManager] Authentication succeeded for user [administrator@xxxxxxx] in tenant [vsphere.local] in [18] milliseconds

      2014-01-30 10:08:15,161 WARN   [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 10

      2014-01-30 10:08:15,162 ERROR  [IdentityManager] Failed to get attributes for principal [administrator@xxxxxxx] in tenant [vsphere.local]

      2014-01-30 10:08:15,162 ERROR  [ServerUtils] Exception 'com.vmware.identity.interop.ldap.ReferralLdapException: Referral

      LDAP error [code: 10]'

      com.vmware.identity.interop.ldap.ReferralLdapException: Referral

      LDAP error [code: 10]

          at com.vmware.identity.interop.ldap.LdapErrorChecker$11.RaiseLdapError(LdapErrorChecker.java:172)

          at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)

          at com.vmware.identity.interop.ldap.WinLdapClientLibrary.CheckError(WinLdapClientLibrary.java:758)

          at com.vmware.identity.interop.ldap.WinLdapClientLibrary.ldap_search_s(WinLdapClientLibrary.java:433)

          at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:334)

          at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:331)

          at com.vmware.identity.interop.ldap.LdapConnection.execute(LdapConnection.java:65)

          at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:330)

          at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:299)

          at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getPrimaryGroupDN(LdapWithAdMappingsProvider.java:395)

          at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.getAttributes(LdapWithAdMappingsProvider.java:270)

          at com.vmware.identity.idm.server.IdentityManager.getAttributeValues(IdentityManager.java:2631)

          at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

          at java.lang.reflect.Method.invoke(Unknown Source)

          at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)

          at sun.rmi.transport.Transport$1.run(Unknown Source)

          at sun.rmi.transport.Transport$1.run(Unknown Source)

          at java.security.AccessController.doPrivileged(Native Method)

          at sun.rmi.transport.Transport.serviceCall(Unknown Source)

          at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)

          at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)

          at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

          at java.lang.Thread.run(Unknown Source)

       

      Has anyone experienced this type of issue?

        • 1. Re: vCenter web Client 5.5 fails to log in using Active Directory
          HobertB Lurker

          bump...any help or direction is greatly appreciated

          • 2. Re: vCenter web Client 5.5 fails to log in using Active Directory
            Arun Pandey Master

            Hi,

             

            I am not sure about what the snip indicates but I can suggest the following:

            Change the AD identity source as default domain for SSO. Refer to section "Set the Default Domain for vCenter Single Sign-On" from vSphere 5.5 Documentation Center

            Did you assign admin permissions to this AD user account that you are trying to log in? Refer to section "Assign Permissions in the vSphere Web Client" from the vSphere 5.5 Documentation Center.

             

            -Arun

            http://highoncloud.blogspot.in/

            About VMware Virtualization on NetApp

            • 3. Re: vCenter web Client 5.5 fails to log in using Active Directory
              terahertz Lurker

              I am also having this problem. Setting the Default Domain doesn't help. Admin permissions are set.

              • 4. Re: vCenter web Client 5.5 fails to log in using Active Directory
                Hot Shot

                How did you add the Active Directory to the SSO as Identity Source? Using Integrated method or over LDAP? Are there any additional identity sources added over LDAP?

                 

                How exactly did you give permissions to the user you are trying to log in with? To the user directly, to a group of the domain, to a local group where the domain user is a member of?

                 

                ns0:RequestFailed: Referral and ldap error 10 usually suggest some form of nesting which is unsupported in certain conditions. Also make sure you are running the latest version of Single Sign On as there have been bug fixes to rule out as much of the nesting issues as possible for now.

                • 5. Re: vCenter web Client 5.5 fails to log in using Active Directory
                  terahertz Lurker

                  Both methods do not work. I am currently using LDAP. There are no other LDAP identity sources.

                   

                  I gave permission to the user directly.

                   

                  I am trying this with 5.5.0b, which is the latest version. In 5.1, everything works just fine. In 5.5 it gives the Referral error. I did a clean install of 5.5.0b and it doesn't work either.

                  • 6. Re: vCenter web Client 5.5 fails to log in using Active Directory
                    Hot Shot

                    Do you already have a case open with tech support?

                    • 7. Re: vCenter web Client 5.5 fails to log in using Active Directory
                      Madmax01 Hot Shot

                      Hello,

                       

                      i didn't made a "manual" install of 5.5  > only Upgrade. And theire i forced some Errors.   AD identity Source was added without Problems.

                       

                      - Problem is that SSO only like to have AD Groups+ AD users direct granted to the vCenter.  So if you have a local Group where the AD users are theire > and you try using the local group > then the AD user are not working.

                       

                      - Also i faced Problems without Netbios. i had to activate Netbios through upgrade.  So they changed something between shortname and fqdn in 5.5 Installation Process,....

                       

                      PS: you could try out to remove the Local Identity Source if you don't need it > maybe solve the Problem

                       

                      Best regards

                       

                      Max

                      • 8. Re: vCenter web Client 5.5 fails to log in using Active Directory
                        stannum Novice

                        After install vSphere 5.5 I've got the same issue with authenticating from AD identity sources:

                        The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.

                        And I found strange behavior - this happens only with Active Directory's that hosted on Windoze 2008 R2 controllers

                        On Identity sources of Windoze 2003 R2 AD all works fine in vCenter 4.1, 5.1 and 5.5,

                         

                         

                        So I'm have big Infrastructure with 3 different versions of vCenter servers and 3 different Active Directories (2 on Win2008R2 and 1 on Win2003R2)

                         

                         

                        Now I'm tesed all of theese with eachother:

                         

                        Summary:

                        Active Directory          vCenter 4.1               v Center 5.1                   vCenter 5.5

                                                         on Windoze 2k3    on Windoze 2k8R2         on Windoze 2k8R2

                        Windoze 2008 R2:             OK                              OK                                FAIL

                        Windoze 2003 R2              OK                              OK                                 OK

                         

                         

                        All of vCenters are fresh installed versions (mean not upgraded from any previous versions)

                        • 9. Re: vCenter web Client 5.5 fails to log in using Active Directory
                          stannum Novice

                          I found the main cause of that error:

                           

                          If authenticating user is member of group from another domain from one AD forest, and no matter if mutual trust between that domains.

                           

                          For example,

                          domain.local is parent domain of child.domain.local, domain.local trusts to child.domain.local, and child.domain.local trusts to domain.local



                          CN=vmware-user,OU=Users,DC=domain,DC=local - user in domain.local

                          CN=childGroup,OU=Groups,DC=child,DC=domain,DC=local - group in child.domain.local

                           

                          1.Now configure SSO to authenticate users from domain.local by adding domain.local as identity source in SSO Administration and add vmware-user@domain.local as vCenter User

                          Now we can login to vCenter Web client and Windows Client with vmware-user@domain.local and all works fine!


                          2. Because of trust, we can set  vmware-user as a member of trusted domain group childGroup

                          If we do so and vmware-user will be a member of childGroup of  child.domain.local domain and we try to relogin to vCneter  as vmware-user@domain.local we will get an error



                          The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.

                           

                          This is a BUG and VMware must fix that, I hope

                          • 10. Re: vCenter web Client 5.5 fails to log in using Active Directory
                            stannum Novice

                            Further investigations with VMware support technicians brought us to the solution:

                             

                            In vSphere 5.5 there is 4 types of identity sources:

                            1. Active Directory (Windows Integrated Authentication)

                            2. Active Directory as LDAP-Server

                            3. Open LDAP

                            4. LocalOS

                             

                            In 5.1 there was only one option for Actove Directory identity source simply  called "Active Directory"

                             

                            So problem was solved by adding SSO-server to PARENT Active Directory domain - and all start working like in vSphere 5.1

                            • 11. Re: vCenter web Client 5.5 fails to log in using Active Directory
                              King_Robert Hot Shot

                              To resolve this issue, remove the existing Active Directory Identity Source, and recreate it with a Domain Alias.

                               

                              To remove the existing Active Directory Identity Source, and recreate it with a Domain Alias:

                              1. Log into the vSphere Web Client using the Admin@System-Domain (for 5.1) or administrator@vsphere.local credentials (for 5.5).
                              2. Click Administration.
                              3. Under Sign-On and Discovery, click Configuration.
                              4. Click the Active Directory identity source.
                              5. Under Actions, click Edit Identity Source.
                              6. Make note of the information in the identity source.
                              7. Click Cancel.
                              8. Under Actions, click Delete Identity Source.
                              9. Recreate the identity source using the short NETBIOS name in the Domain Alias field.
                              10. Click Test Connection.
                              11. Click OK.
                              • 12. Re: vCenter web Client 5.5 fails to log in using Active Directory
                                f1refoxy Lurker

                                Hello,

                                 

                                we got a simmilar problem after upgrading from 5.1 to 5.5.

                                we've tried all the things mentioned above - nothing worked for us.
                                Our issue was that SSO seems to be working (browsing sso identity sources was possible) but login with a user from a AD-LDAP source wasn't possible.


                                Solution for us:

                                we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!

                                 

                                 

                                -> active directory as ldap server,
                                --> ldap://servername:3268

                                 

                                 

                                br

                                Gerald

                                • 13. Re: vCenter web Client 5.5 fails to log in using Active Directory
                                  adamjg Enthusiast

                                  Solution for us:

                                  we "forgot" (or after 5.1 they have been deleted?, don't know) to set the ports auf the ldap servers, after we added the port, it worked fine!

                                   

                                   

                                  -> active directory as ldap server,
                                  --> ldap://servername:3268

                                   

                                   

                                  I don't know how or why this works, but it works for us as well. Our Netbackup service account couldn't connect, and couldn't even login to the web page.  Every single other account worked just fine.  After I changed the identity sources to include the port number now the backup account can login.  I have no idea why.  At this point I don't care as long as it works.  Thanks for the info!

                                   

                                  Adam

                                  • 14. Re: vCenter web Client 5.5 fails to log in using Active Directory
                                    jimharle Lurker

                                    I had been fighting SSO for hours, until I found this post about using port 3268. Now magically everything works.

                                    1 2 Previous Next