After using a service account to configure an Identity Source in vCenter Single Sign-On, users from that domain are unable to log in
Article ID: 305657
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- vCenter Single Sign-On (SSO) failed to automatically find the Identity Source during install, so an Identity Source was created manually via the Web Client and a non-administrator account was used to connect SSO to AD (such as a Service Account).
- Logging into the vSphere Client or vSphere Web Client with a domain account which has been added manually as part of an Identity Source in SSO fails with an error:
- Web Client logins fail with the error:
Provided credentials are not valid
- vSphere Client logins fail with the error:
Cannot complete login due to an incorrect user name or password.
- Web Client logins fail with the error:
- In the
imsTrace.logfile, you see a message which indicates that the login failed because the account is disabled:<DOMAINNAME>,,,,The principal with ID: <USERNAME> is disabled. Reason: ReasonKey[AUTHN_PRINCIPAL_DISABLED]
[castle-exec-46], (IMSUtilImpl.java:198), trace.com.rsa.riat.utils.IMSUtil, ERROR, <DOMAINNAME>,,,,Authentication Failed. Invalid credentials. State: failed
- You see this error in the
imsTrace.logfile:Error while trying to generate RequestSecurityTokenResponse
Environment
VMware vCenter Server 5.1.x
Resolution
When manually adding an Identity Source in vCenter Single Sign-On (SSO), many domains will require using the authentication type of Password. This requires a valid administrator account in the directory.
In situations where the use of an administrator account is not allowed for security or policy reasons, you may use a service account instead. If a service account is used, the service account must have sufficient permissions to read the properties and attributes of any user which you intend to have login capabilities in vSphere. If the service account cannot read these attributes, the logins fail. The solution is to increase the permissions on this service account so that it is able to read all user attributes.
The appropriate permissions for SSO can be provided by using one of these options:
Note: The preceding link was correct as of March 14, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.
In situations where the use of an administrator account is not allowed for security or policy reasons, you may use a service account instead. If a service account is used, the service account must have sufficient permissions to read the properties and attributes of any user which you intend to have login capabilities in vSphere. If the service account cannot read these attributes, the logins fail. The solution is to increase the permissions on this service account so that it is able to read all user attributes.
The appropriate permissions for SSO can be provided by using one of these options:
- A domain administrator account
- A service account with full read-only permissions on the entire user/group sub-tree that is to have access to vSphere
- A service account with these specific read permissions on the entire user/group sub-tree that is to have access to vSphere:
tokenGroups
memberOf
cn
name
givenName
sn
initials
comment
distinguishedName
samAccountName
samAccountType
userPrincipalName
userAccountControl
accountExpires
description
lockoutTime
objectGUID
objectSID
userCertificate
Note: The preceding link was correct as of March 14, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.
Additional Information
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box
Feedback
Yes
No
Powered by
