jackchentoronto
Enthusiast
Enthusiast

Client is not authenticated to VMware Inventory Service - http://localhost:10080/invsvc

I have a newly setup vCenter 6, integrated with our AD ( using integrated Windows authentication )

It was working ok for a while, I rebooted the server today, all a sudden I am getting

"Client is not authenticated to VMware Inventory Service - http://localhost:10080/invsvc" when login as domainuser\myaccount.

If I login as vsphere.local\administrator, then everything is working as supposed.

Finally I had to remove the AD ID source, then re-add it back, then it's normal again.

Any one see similar problem?

Another problem ( might be related ) is when I add the AD as ID source, sometime I got

"The vCenter Single Sign-On service is not currently joined to any domain. You cannot complete the current operation."

but most time it's ok.

0 Kudos
5 Replies
Nithy07cs055
Hot Shot
Hot Shot

I suspect the issue is with SSO ,while installing the vCenter server using an Embedded option , you should have got the below screen,

valid Domain name and Credentials should be entered for proper configuration  

sso.JPG

Thanks and Regards, Nithyanathan R Please follow my page and Blog for more updates. Blog : https://communities.vmware.com/blogs/Nithyanathan Twitter @Nithy55 Facebook Vmware page : https://www.facebook.com/Virtualizationworld
0 Kudos
jackchentoronto
Enthusiast
Enthusiast

yes it's definitely related with sso. Vsphere.local domain users can login without problem, the problem is with the other identity source integrated with our production AD using machine account.

I suspect it might have some issue with some of our AD's special setting ( when I tried to integrate our AD with vCenter 5.5 before, it totally broke the identity source configuration, and Vmware confirmed it's a bug in 5.5). 

After I delete/readded the AD identity source, AD users can login& access vCenter inventory without problem, but I am not sure if the same problem will happen again if I reboot vCenter.

0 Kudos
Nithy07cs055
Hot Shot
Hot Shot

Oh.. than you need to open a ticket with Vmware and inform about the bug, they will fix it,

All the best Smiley Happy

Thanks and Regards, Nithyanathan R Please follow my page and Blog for more updates. Blog : https://communities.vmware.com/blogs/Nithyanathan Twitter @Nithy55 Facebook Vmware page : https://www.facebook.com/Virtualizationworld
0 Kudos
gjbrown
Enthusiast
Enthusiast

Did you ever get long term resolution on this?  I am having same problem.  Using VCSA 6

0 Kudos
jo_m
Contributor
Contributor

Running into the same issue here; AD accounts don't authenticate to the inventory service.

Note: Error relating to "NT AUTHORITY" is what I'm seeing in my case. May be different for other environments.

Error is logged in inv-svc.log:

2015-09-18T21:11:52.576+02:00 [pool-16-thread-4  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element

2015-09-18T21:11:52.612+02:00 [pool-16-thread-4  ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] Invalid user

com.vmware.vim.query.server.ssoauthentication.exception.InvalidUserException: Domain does not exist: NT AUTHORITY

    at com.vmware.vim.query.server.ssoauthentication.impl.DomainNameNormalizerImpl.toSsoDomain(DomainNameNormalizerImpl.java:55)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:77)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:138)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:48)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:196)

    at com.vmware.vim.query.server.authentication.impl.MoSessionManager.internalLoginBySamlToken(MoSessionManager.java:174)

    at com.vmware.vim.query.server.authentication.impl.MoSessionManager.loginBySamlToken(MoSessionManager.java:154)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:606)

    at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:66)

    at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:48)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at java.lang.Thread.run(Thread.java:745)

2015-09-18T21:11:52.793+02:00 [pool-16-thread-4  INFO  com.vmware.vim.query.server.authentication.impl.MoSessionManager  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] Failed to login user with subject: {Name: user, Domain: example.com}

2015-09-18T21:12:09.399+02:00 [tomcat-exec-268  INFO  com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl  opId=] Client was created successfully

2015-09-18T21:12:09.715+02:00 [tomcat-exec-268  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML

2015-09-18T21:12:09.728+02:00 [tomcat-exec-268  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML

2015-09-18T21:12:09.766+02:00 [tomcat-exec-268  ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper  opId=] Invalid user

com.vmware.vim.query.server.ssoauthentication.exception.InvalidUserException: Domain does not exist: NT AUTHORITY

    at com.vmware.vim.query.server.ssoauthentication.impl.DomainNameNormalizerImpl.toSsoDomain(DomainNameNormalizerImpl.java:55)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:77)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:138)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:48)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:196)

    at com.vmware.cis.services.common.vapi.sessions.impl.VlsiBackedSessionManager.loginInt(VlsiBackedSessionManager.java:155)

    at com.vmware.cis.services.common.vapi.sessions.impl.VlsiBackedSessionManager.login(VlsiBackedSessionManager.java:77)

    at com.vmware.vim.query.server.authz.SessionManagerImpl.login(SessionManagerImpl.java:24)

    at com.vmware.cis.authz.sessions.SessionManagerApiInterface$LoginApiMethod.doInvoke(SessionManagerApiInterface.java:40)

    at com.vmware.vapi.internal.bindings.ApiMethodSkeleton.invoke(ApiMethodSkeleton.java:169)

    at com.vmware.vapi.provider.ApiMethodBasedApiInterface.invoke(ApiMethodBasedApiInterface.java:82)

    at com.vmware.vapi.provider.local.LocalProvider.invokeMethodInt(LocalProvider.java:471)

    at com.vmware.vapi.provider.local.LocalProvider.invoke(LocalProvider.java:290)

    at com.vmware.vapi.provider.introspection.ErrorAugmentingFilter.invoke(ErrorAugmentingFilter.java:74)

    at com.vmware.vapi.security.AuthenticationFilter$1.setResult(AuthenticationFilter.java:180)

    at com.vmware.vapi.security.AuthenticationFilter$1.setResult(AuthenticationFilter.java:166)

    at com.vmware.vapi.cis.authn.SamlTokenAuthnHandler.authenticate(SamlTokenAuthnHandler.java:60)

    at com.vmware.vapi.security.AuthenticationFilter.invoke(AuthenticationFilter.java:165)

    at com.vmware.vapi.provider.aggregator.ProviderAggregation.invokeMethodImpl(ProviderAggregation.java:244)

    at com.vmware.vapi.provider.aggregator.ProviderAggregation.invoke(ProviderAggregation.java:269)

    at com.vmware.vapi.internal.provider.introspection.IntrospectionFilter.invoke(IntrospectionFilter.java:70)

    at com.vmware.vapi.provider.aggregator.ApiAggregator.invoke(ApiAggregator.java:101)

    at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.processApiRequest(JsonServerConnection.java:281)

    at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.requestReceived(JsonServerConnection.java:206)

    at com.vmware.vapi.protocol.server.rpc.http.impl.HttpStreamingServlet.doPostImpl(HttpStreamingServlet.java:124)

    at com.vmware.vapi.protocol.server.rpc.http.impl.HttpStreamingServlet.doPost(HttpStreamingServlet.java:92)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

    at com.vmware.vim.vmomi.server.http.impl.VlsiSslValve.invoke(VlsiSslValve.java:49)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)

    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

    at java.lang.Thread.run(Thread.java:745)

"NT AUTHORITY" here is coming from the user token. Token details are logged in vmware-identity-sts.log:

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=userPrincipalName, value=[user@example.com]] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://rsa.com/schemas/attr-names/2009/01/GroupIdentity, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Groups, value=[example.com\Domain Users, NT AUTHORITY\LogonSessionId_0_1204365, [... additional groups ...], vsphere.local\Administrators, vsphere.local\Everyone]] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=surname, value=null] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=givenName, value=null] retrieved for {Name: user, Domain: example.com}

Domain controller (2008 R2) in my case adds "NT AUTHORITY\LogonSessionId_0_#######" (number varies) to the user's groups. Inventory service can't resolve the domain and fails the logon attempt.

I suppose the unresolvable group should be ignored by the service, instead of causing a logon failure. Possible workaround could be to exclude the unresolvable groups from the issued token, but I don't know if/how that can be changed.

Edit:

Workaround: Use LDAP for your AD identity source instead of integrated Windows authentication. User token will not contain "NT AUTHORITY\LogonSessionId" group.

0 Kudos