Logging in to VMware vCenter Server Appliance 5.5 Active Directory fails if group name contains parentheses

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

Logging in to the vCenter Server Appliance (VCSA) with vSphere Client or the vSphere Web Client fails if the user is a member of a group with a name that contains parentheses.
The vpxd.log file (located at /var/log/vmware/vpx) contains errors similar to:

[7F3B38BDD700 info 'commonvpxLro' opID=2F8A7488-00000004-c] [VpxLRO] -- BEGIN task-internal-516916 -- -- vim.SessionManager.login -- cbe6ca23-e1ee-172a-a7ce-57b0e3a56e05
[7F3B38BDD700 info '[SSO]' opID=2F8A7488-00000004-c] [UserDirectorySso] Authenticate(DOMAIN\user, "not shown")
[7F3B38BDD700 error '[SSO]' opID=2F8A7488-00000004-c] [UserDirectorySso] AcquireToken exception: N9SsoClient12SsoExceptionE(Unexpected SOAP fault: ns0:RequestFailed; request failed.)
[7F3B38BDD700 error 'authvpxdUser' opID=2F8A7488-00000004-c] Failed to authenticate user <DOMAIN\user>
[7F3B38BDD700 info 'commonvpxLro' opID=2F8A7488-00000004-c] [VpxLRO] -- FINISH task-internal-516916 -- -- vim.SessionManager.login --
[7F3B38BDD700 info 'Default' opID=2F8A7488-00000004-c] [VpxLRO] -- ERROR task-internal-516916 -- -- vim.SessionManager.login: vim.fault.InvalidLogin:
[7F3B389D9700 warning 'VpxProfiler' opID=2F8A7488-00000004-c-SWI-6f0bd63a] VpxUtil_InvokeWithOpId [TotalTime] took 30033 ms
The vmware-sts-idmd.log file (located at: /var/log/vmware/sso) contains errors similar to:

INFO [IdentityManager] Authentication succeeded for user [Dom??nen Administrator@domain] in tenant [vsphere.local] in [3237] milliseconds
WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: -7
ERROR [LinuxLdapClientLibrary] Exception when calling ldap_search_s: base=DC=Dom??nen Administrator,DC=<domain>,DC=<com>, scope=2, filter=(&(objectClass=group)(member=CN= vSphere_Users (Read),OU=Wmnas1,OU=CO Groups,OU=groups,OU=I
BM GS1,OU=us,OU=na,OU=Global Resources,DC=users,DC=<domain>,DC=<com>)), attrs=[Ljava.lang.String;@65e8dc1a, attrsonly=1
com.vmware.identity.interop.ldap.FilterErrorLdapException: Bad search filter
LDAP error [code: -7]
at com.vmware.identity.interop.ldap.LdapErrorChecker$49.RaiseLdapError(LdapErrorChecker.java:677)
at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)
at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.CheckError(LinuxLdapClientLibrary.java:743)
at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.ldap_search_s(LinuxLdapClientLibrary.java:414)

Note: The bold text above is an example of an Active Directory (AD) group name that contains parentheses.

The vmware-identity-sts.log file (located at: /var/log/vmware/sso) contains entries similar to:

tomcat-http--8 ERROR com.vmware.identity.sts.ws.StsServiceImpl] com.vmware.identity.saml.SystemException: com.vmware.identity.idm.IDMException
at com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor.getAttributes(IdmPrincipalAttributesExtractor.java:114)
at com.vmware.identity.saml.impl.TokenAuthorityImpl.getTokenAttributesAndIdentityAttribute(TokenAuthorityImpl.java:304)

Cause

This issue occurs because you are a member of an AD group containing parentheses.

Resolution

This issue is resolved in vCenter Server Appliance 5.5.0a. For more information about this version, see the VMware vCenter Server 5.5.0a Release Notes. You can download the latest release from the VMware Download Center.

To work around this issue on vCenter Server Appliance 5.5 GA (Build Number 1312297), remove the parentheses from the users group or remove the user from the group that contains parentheses.

Additional Information

For related information see, Troubleshooting special character issues in vCenter Server 5.5 (2061415).

To be alerted when this document is updated, click the Subscribe to Article link in the Actions boxTroubleshooting special character issues in vCenter Server 5.5