VMware Cloud Community
link087
Contributor
Contributor
‎11-16-2018 12:23 AM
Jump to solution

AD authentication broken on vCenter 6.5.0.14000

AD authentication stopped working. Local authentication with root credentials or administrator@host.domain.local works fine.

When I try to login to web console with correct credentials (credentials checked on another system) - I get "Invalid credentials" error.

In /var/log/vmware/sso/websso.log I see:

[2018-11-16T08:10:50.120Z  tomcat-http--28  6c431785-2cde-4a7e-b363-0a2660562648 ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException

[2018-11-16T08:10:50.121Z  tomcat-http--28  6c431785-2cde-4a7e-b363-0a2660562648 ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: [401, Неверное имя пользователя или пароль], message

Tried to exit and join domain with the instruction in After upgrade to 6.5 update 1 broken AD authentication but the problem persist.

AD authentication is chosen as default authentication provider.

Why AD authentication is not working? How to repair it?

0 Kudos
1 Solution

Accepted Solutions
link087
Contributor
Contributor
‎11-16-2018 08:50 AM
Jump to solution

So, the problem was trivial.

I noticed in /var/log/messages "Clock skew too great". I checked time with help of "date" command and found that it was incorrect.

After what I discovered that vCenter VM machine sync time from the server on which it is hosted. I disabled time sync in Edit Settings>VM Options>VMWare tools>Time>Synchronize guest time with host

After it I changed time to correct with help of date -s "HH:MM:SS" command

Now server accepts AD credentials.

Keep in mind that clock may be set to UNC (Greenwich Mean Time), not your local time zone.

View solution in original post

3 Replies
MikeStoica
Expert
Expert
‎11-16-2018 01:09 AM
Jump to solution

VCSA FQDN is resolving successfully?What is your Domain Functional Level?

vCenter 6.5 doesn't support Windows Server 2016 VMware Knowledge Base

0 Kudos
link087
Contributor
Contributor
‎11-16-2018 01:18 AM
Jump to solution

Domain and forest functional levels are both 2008 R2

Actually authentication worked fine until past Friday. Then - without any reason it stopped working.

VCSA FQDN is resolving successfully by DNS. But we have an alias. Both srv-vc02 and srv-vc04 are resolving to the same IP, but srv-vc02 is A record and srv-vc04 is alias.

May be there is another log I can check?

0 Kudos
link087
Contributor
Contributor
‎11-16-2018 08:50 AM
Jump to solution

So, the problem was trivial.

I noticed in /var/log/messages "Clock skew too great". I checked time with help of "date" command and found that it was incorrect.

After what I discovered that vCenter VM machine sync time from the server on which it is hosted. I disabled time sync in Edit Settings>VM Options>VMWare tools>Time>Synchronize guest time with host

After it I changed time to correct with help of date -s "HH:MM:SS" command

Now server accepts AD credentials.

Keep in mind that clock may be set to UNC (Greenwich Mean Time), not your local time zone.