Hello,
after upgrade from vCenter 6.5u2 to 6.5u3, the integrated windows authentication stopped working, saying "invalid credentials" on the login screen, for both flash and html5 clients. Traditional login with username and password works fine. The enhanced plugin service is running (login screen recognizes it and the link to download the plugin is hidden, which seems ok). Cleared browser cache, reboot of server and reinstallation of enhanced plugin didn't help.
Running on Windows 2012 R2 Server (standalone, no AD), current Firefox ESR (60.9.0esr 64-bit). The same problem on both my vCenter installations. The only difference is vCenter upgrade.
Is it a known issue with any workaround?
Thanks,
David
Hey David, are you getting any pertinent errors in any of the following log files?
/var/log/vmware/vpxd/vpxd.log
/var/log/vmware/sso/websso.log
/var/log/vmware/sso/ssoAdminServer.log
Those might be able to point you in the right direction. Let us know what you find.
Hi,
thank you for the response. It is Windows-based installation, as I mentionet already, so I hope I found the relevant logs. I started web browser and tried to login via windows integration and searched logs for the specific time period. Hostnames are changed.
C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\websso.log
[2019-10-03T09:18:24.531+02:00 tomcat-http--1 INFO com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.local
[2019-10-03T09:18:24.532+02:00 tomcat-http--1 INFO com.vmware.identity.SsoController] Request URL is https://xxx.yyy.zzz.cz/websso/SAML2/SSO/vsphere.local
[2019-10-03T09:18:24.589+02:00 tomcat-http--1 92a887d2-f255-4490-860d-fd1e57395ece INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _3c9447985d4d34f0464e4e68c6411311
[2019-10-03T09:18:24.593+02:00 tomcat-http--1 92a887d2-f255-4490-860d-fd1e57395ece INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false
[2019-10-03T09:18:24.603+02:00 tomcat-http--1 92a887d2-f255-4490-860d-fd1e57395ece INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded
[2019-10-03T09:18:24.607+02:00 tomcat-http--1 92a887d2-f255-4490-860d-fd1e57395ece INFO auditlogger] {"user":"","client":"::1","timestamp":"10/03/2019 09:18:24 CEST","description":"User @::1 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
[2019-10-03T09:18:24.607+02:00 tomcat-http--1 92a887d2-f255-4490-860d-fd1e57395ece ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException
[2019-10-03T09:18:24.607+02:00 tomcat-http--1 92a887d2-f255-4490-860d-fd1e57395ece ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: 401, message
C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\ssoAdminServer.log
no error messages, no mention of my login name
C:\ProgramData\VMware\vCenterServer\logs\vmware-vpx\vpxd-149.log
timestamp 34 seconds later than that from websso.log, so probaly not relevant, but to be sure, I paste it here
2019-10-03T09:18:58.815+02:00 error vpxd[05996] [Originator@6876 sub=vmomi.soapStub[79]] initial service state request failed, disabling pings. error=HTTP Status:500 'Internal Server Error'
2019-10-03T09:18:58.815+02:00 warning vpxd[05996] [Originator@6876 sub=Default] Closing Response processing in unexpected state: 3
EDIT: I also found this:
C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\websso_audit_events.log
2019-10-03T07:18:24.607Z {"user":"","client":"::1","timestamp":"10/03/2019 09:18:24 CEST","description":"User @::1 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
Running a Windows-based vCenter at this time is essentially pointless and because of most using the vCSA there is going to be a (appropriate) lack of knowledge here on Windows. I'd suggest opening a support request.
Sorry, I totally skipped over the local Windows install bit.
A good amount of people have had success with fixing this issue by setting an appropriate security GPO, as talked about here: Issues when using Windows Session Authentication
Running a Windows-based vCenter at this time is essentially pointless and because of most using the vCSA there is going to be a (appropriate) lack of knowledge here on Windows. I'd suggest opening a support request.
Well, maybe in your case, but I have reasons to postpone the migration due to some specific software dependencies. until they are resolved. As far as I know, vCenter 6.5 windows-based is still actively developed. And I am aware of many people still running it. IWA functionality is not critical to me, I just wonder if there is a solution. But thanks for the opinion anyway 😉
A good amount of people have had success with fixing this issue by setting an appropriate security GPO, as talked about here: Issues when using Windows Session Authentication
Thank you for the suggestion. It did not work in my case. Never mind, it is not critical to me, maybe later somebody will have the same problem and will be smarter than me to find a solution 🙂
This is a known issue affecting vCenter Server 6.5 U3 and 6.7 U3. Resolution available at failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"....