VMware Cloud Community
jackchentoronto
Enthusiast
Enthusiast
‎08-01-2015 05:04 PM

Client is not authenticated to VMware Inventory Service - http://localhost:10080/invsvc

I have a newly setup vCenter 6, integrated with our AD ( using integrated Windows authentication )

It was working ok for a while, I rebooted the server today, all a sudden I am getting

"Client is not authenticated to VMware Inventory Service - http://localhost:10080/invsvc" when login as domainuser\myaccount.

If I login as vsphere.local\administrator, then everything is working as supposed.

Finally I had to remove the AD ID source, then re-add it back, then it's normal again.

Any one see similar problem?

Another problem ( might be related ) is when I add the AD as ID source, sometime I got

"The vCenter Single Sign-On service is not currently joined to any domain. You cannot complete the current operation."

but most time it's ok.

0 Kudos
5 Replies
Nithy07cs055
Hot Shot
Hot Shot
‎08-03-2015 08:41 AM

I suspect the issue is with SSO ,while installing the vCenter server using an Embedded option , you should have got the below screen,

valid Domain name and Credentials should be entered for proper configuration  

sso.JPG

Thanks and Regards, Nithyanathan R Please follow my page and Blog for more updates. Blog : https://communities.vmware.com/blogs/Nithyanathan Twitter @Nithy55 Facebook Vmware page : https://www.facebook.com/Virtualizationworld
0 Kudos
jackchentoronto
Enthusiast
Enthusiast
‎08-04-2015 07:26 PM

yes it's definitely related with sso. Vsphere.local domain users can login without problem, the problem is with the other identity source integrated with our production AD using machine account.

I suspect it might have some issue with some of our AD's special setting ( when I tried to integrate our AD with vCenter 5.5 before, it totally broke the identity source configuration, and Vmware confirmed it's a bug in 5.5). 

After I delete/readded the AD identity source, AD users can login& access vCenter inventory without problem, but I am not sure if the same problem will happen again if I reboot vCenter.

0 Kudos
Nithy07cs055
Hot Shot
Hot Shot
‎08-05-2015 08:32 AM

Oh.. than you need to open a ticket with Vmware and inform about the bug, they will fix it,

All the best Smiley Happy

Thanks and Regards, Nithyanathan R Please follow my page and Blog for more updates. Blog : https://communities.vmware.com/blogs/Nithyanathan Twitter @Nithy55 Facebook Vmware page : https://www.facebook.com/Virtualizationworld
0 Kudos
gjbrown
Enthusiast
Enthusiast
‎09-15-2015 09:33 AM

Did you ever get long term resolution on this?  I am having same problem.  Using VCSA 6

0 Kudos
jo_m
Contributor
Contributor
‎09-18-2015 03:40 PM

Running into the same issue here; AD accounts don't authenticate to the inventory service.

Note: Error relating to "NT AUTHORITY" is what I'm seeing in my case. May be different for other environments.

Error is logged in inv-svc.log:

2015-09-18T21:11:52.576+02:00 [pool-16-thread-4  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element

2015-09-18T21:11:52.612+02:00 [pool-16-thread-4  ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] Invalid user

com.vmware.vim.query.server.ssoauthentication.exception.InvalidUserException: Domain does not exist: NT AUTHORITY

    at com.vmware.vim.query.server.ssoauthentication.impl.DomainNameNormalizerImpl.toSsoDomain(DomainNameNormalizerImpl.java:55)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:77)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:138)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:48)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:196)

    at com.vmware.vim.query.server.authentication.impl.MoSessionManager.internalLoginBySamlToken(MoSessionManager.java:174)

    at com.vmware.vim.query.server.authentication.impl.MoSessionManager.loginBySamlToken(MoSessionManager.java:154)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:606)

    at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:66)

    at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:48)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at java.lang.Thread.run(Thread.java:745)

2015-09-18T21:11:52.793+02:00 [pool-16-thread-4  INFO  com.vmware.vim.query.server.authentication.impl.MoSessionManager  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] Failed to login user with subject: {Name: user, Domain: example.com}

2015-09-18T21:12:09.399+02:00 [tomcat-exec-268  INFO  com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl  opId=] Client was created successfully

2015-09-18T21:12:09.715+02:00 [tomcat-exec-268  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML

2015-09-18T21:12:09.728+02:00 [tomcat-exec-268  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML

2015-09-18T21:12:09.766+02:00 [tomcat-exec-268  ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper  opId=] Invalid user

com.vmware.vim.query.server.ssoauthentication.exception.InvalidUserException: Domain does not exist: NT AUTHORITY

    at com.vmware.vim.query.server.ssoauthentication.impl.DomainNameNormalizerImpl.toSsoDomain(DomainNameNormalizerImpl.java:55)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:77)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:138)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:48)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:196)

    at com.vmware.cis.services.common.vapi.sessions.impl.VlsiBackedSessionManager.loginInt(VlsiBackedSessionManager.java:155)

    at com.vmware.cis.services.common.vapi.sessions.impl.VlsiBackedSessionManager.login(VlsiBackedSessionManager.java:77)

    at com.vmware.vim.query.server.authz.SessionManagerImpl.login(SessionManagerImpl.java:24)

    at com.vmware.cis.authz.sessions.SessionManagerApiInterface$LoginApiMethod.doInvoke(SessionManagerApiInterface.java:40)

    at com.vmware.vapi.internal.bindings.ApiMethodSkeleton.invoke(ApiMethodSkeleton.java:169)

    at com.vmware.vapi.provider.ApiMethodBasedApiInterface.invoke(ApiMethodBasedApiInterface.java:82)

    at com.vmware.vapi.provider.local.LocalProvider.invokeMethodInt(LocalProvider.java:471)

    at com.vmware.vapi.provider.local.LocalProvider.invoke(LocalProvider.java:290)

    at com.vmware.vapi.provider.introspection.ErrorAugmentingFilter.invoke(ErrorAugmentingFilter.java:74)

    at com.vmware.vapi.security.AuthenticationFilter$1.setResult(AuthenticationFilter.java:180)

    at com.vmware.vapi.security.AuthenticationFilter$1.setResult(AuthenticationFilter.java:166)

    at com.vmware.vapi.cis.authn.SamlTokenAuthnHandler.authenticate(SamlTokenAuthnHandler.java:60)

    at com.vmware.vapi.security.AuthenticationFilter.invoke(AuthenticationFilter.java:165)

    at com.vmware.vapi.provider.aggregator.ProviderAggregation.invokeMethodImpl(ProviderAggregation.java:244)

    at com.vmware.vapi.provider.aggregator.ProviderAggregation.invoke(ProviderAggregation.java:269)

    at com.vmware.vapi.internal.provider.introspection.IntrospectionFilter.invoke(IntrospectionFilter.java:70)

    at com.vmware.vapi.provider.aggregator.ApiAggregator.invoke(ApiAggregator.java:101)

    at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.processApiRequest(JsonServerConnection.java:281)

    at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.requestReceived(JsonServerConnection.java:206)

    at com.vmware.vapi.protocol.server.rpc.http.impl.HttpStreamingServlet.doPostImpl(HttpStreamingServlet.java:124)

    at com.vmware.vapi.protocol.server.rpc.http.impl.HttpStreamingServlet.doPost(HttpStreamingServlet.java:92)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

    at com.vmware.vim.vmomi.server.http.impl.VlsiSslValve.invoke(VlsiSslValve.java:49)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)

    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

    at java.lang.Thread.run(Thread.java:745)

"NT AUTHORITY" here is coming from the user token. Token details are logged in vmware-identity-sts.log:

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=userPrincipalName, value=[user@example.com]] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://rsa.com/schemas/attr-names/2009/01/GroupIdentity, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Groups, value=[example.com\Domain Users, NT AUTHORITY\LogonSessionId_0_1204365, [... additional groups ...], vsphere.local\Administrators, vsphere.local\Everyone]] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=surname, value=null] retrieved for {Name: user, Domain: example.com}

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local   f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=givenName, value=null] retrieved for {Name: user, Domain: example.com}

Domain controller (2008 R2) in my case adds "NT AUTHORITY\LogonSessionId_0_#######" (number varies) to the user's groups. Inventory service can't resolve the domain and fails the logon attempt.

I suppose the unresolvable group should be ignored by the service, instead of causing a logon failure. Possible workaround could be to exclude the unresolvable groups from the issued token, but I don't know if/how that can be changed.

Edit:

Workaround: Use LDAP for your AD identity source instead of integrated Windows authentication. User token will not contain "NT AUTHORITY\LogonSessionId" group.

0 Kudos