Active Directory users with customized UPN user names cannot use Windows session credentials to log into the vSphere Client or vSphere Web Client
Article ID: 310838
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- You cannot log into the vSphere Web Client.
- You cannot log into the vSphere Client.
- vCenter Single Sign-On is installed on a Windows system.
- The
Use Windows Session Authenticationoption is selected during login. - Attempting to log in using the vSphere Client or vSphere Web Client fails with the pop-up message:
Provided credentials are not valid
Environment
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vSphere Web Client 5.1.x
VMware vSphere Web Client 5.5.x
VMware vCenter Server 5.5.x
VMware vSphere Web Client 5.1.x
VMware vSphere Web Client 5.5.x
Cause
Active Directory users might have a custom suffix in their UPN instead of using the domain name as the suffix. For example, the user name [email protected] can be customized to be [email protected].
Active Directory users with these custom suffixes cannot log into the vSphere Web Client using Windows session credentials when vCenter Single Sign-On is installed on a Windows system.
In vSphere 5.1, when using the Active Directory Identity Source, you may see:
In vSphere 5.5, when using the Active Directory as an LDAP server or Active Directory (Integrated Windows Authentication) Identity Source, you may see:
- For example, in the
imsRuntimeAudit.logfile located inC:\Program Files\VMware\Infrastructure\sso server\, you see messages similar to:YYYY-DD-MM <time>, 1ed8d6200100007f06edfadabc610d7a,05c709320100007f21453d728d1866b0,,
127.0.0.1,STS_TOKEN_ISSUE_EVENT,40001,FAIL,AUTHN_PRINCIPAL_NOT_FOUND,,SYSTEM,SYSTEM,
SYSTEM,testuser@testdomain,SYSTEM,SYSTEM,,,,,,,,,,,,,,,,,,,,
YYYY-DD-MM <time>,23105af20100007f2e3cf0f6af381ceb,05c709320100007f21453d728d1866b0,
,127.0.0.1,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,
1e0233bc0100007f67a934d5b646d074xE67y40+yxP,2263ca5e0100007f336bd4205d18be85,
1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser,testuser,
vmuser,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,,</time></time>
Later on, you see the session returns[email protected]instead oftestuser@domain. This indicates that the domain name is not following UPN standards, and can cause the session to not be accepted by the vSphere client or web client. - Following the session, you notice the domain name change:
YYYY-DD-MM <time>,20e255360100007f66b9915ad8b4edaf,05c709320100007f21453d728d1866b0,,
127.0.0.1,STS_TOKEN_ISSUE_EVENT,40001,SUCCESS,,,
"CN=testuser,OU=TestOrg,DC=TestDomain,DC=com",
1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,[email protected],
Username,testuser,,,,,,,,,,,,,,,,,,,,
YYYY-DD-MM <time>, 7a19d5af0100007f1df41e934778df5c,05c709320100007f21453d728d1866b0,,127.0.0.1,
AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,788d13750100007f0d8a101759ccde14O1GgM8kpOMe,
2263ca5e0100007f336bd4205d18be85,1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,
testuser,testuser,testuser,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,,
YYYY-DD-MM <time>,0106993b0100007f36c0ae9603868840,05c709320100007f21453d728d1866b0,,127.0.0.1,
STS_TOKEN_ISSUE_EVENT,40001,SUCCESS,,,2263ca5e0100007f336bd4205d18be85,
1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,[email protected],
testuser,vmuser,,,,,,,,,,,,,,,,,,,,</time></time></time>
In vSphere 5.5, when using the Active Directory as an LDAP server or Active Directory (Integrated Windows Authentication) Identity Source, you may see:
- In the ds.log, located at C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs, you may see entries similar to:
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: <User>, Domain: <Domain with Custom UPN>} successfully parsed from Element</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: InventoryService_2013.11.05_133314, Domain: vsphere.local} successfully parsed from Element</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl] Successfully acquired token for user: {Name: InventoryService_2013.11.05_133314, Domain: vsphere.local}</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl] Client was created successfully</time>[YYYY-MM-DD <time> pool-11-thread-1 ERROR com.vmware.vim.dataservices.ssoauthentication.impl.DomainNameNormalizerImpl] SSO Domain does not exist: <Domain with Custom UPN></time>[YYYY-MM-DD <time> pool-11-thread-1 ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] Invalid user</time>com.vmware.vim.dataservices.ssoauthentication.exception.InvalidUserException: Domain does not exist: <Domain with Custom UPN>at com.vmware.vim.dataservices.ssoauthentication.impl.DomainNameNormalizerImpl.toVcDomain(DomainNameNormalizerImpl.java:45)at com.vmware.vim.dataservices.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:73)at com.vmware.vim.dataservices.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:124)at com.vmware.vim.dataservices.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:45)at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:181)at com.vmware.vim.query.server.authentication.impl.MoSessionManager.loginBySamlToken(MoSessionManager.java:62)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)at java.lang.reflect.Method.invoke(Unknown Source)at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:76)at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)at java.lang.Thread.run(Unknown Source)on
...
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: <User>, Domain: <Domain with Custom UPN>} successfully parsed from Element</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Computing permissions for <Custom UPN>\<User></time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after add]: <Custom UPN>\<User</i>> is 1</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] User has no privileges.</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Removed user data for: <Custom UPN>\<User></time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after remove]: <Custom UPN>\<User> is 0</time>[YYYY-MM-DD <time> pool-11-thread-1 ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] Authentication error: com.vmware.vim.vcauthenticate.exception.NoPrivilegesException</time>[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.query.server.authentication.impl.MoSessionManager] Unabled to complete login</time>[YYYY-MM-DD <time> Thread-2 INFO com.vmware.vim.vcauthorization.impl.SessionAuthDataImpl] Session closed for principal: <Custom UPN>\<User></time>[YYYY-MM-DD <time> Thread-2 WARN com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Unable to find user data for user: <Custom UPN>\<User></time>
- In the vmware-identity-sts.log, located at C:\ProgramData\VMware\CIS\runtime\VMwareSTS\logs, you see entries similar to:
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] 5 attributes retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc
:SAML:2.0:attrname-format:uri, friendly name=givenName, value=[Rodney]] retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:S
AML:2.0:attrname-format:uri, friendly name=surname, value=[<User>]] retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.
0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:
uri, friendly name=userPrincipalName, value=[<User>@<Domain with Custom UPN>]] retrieved for {Name: <User>, Domain: <Domain with Custom </i>UPN>}
Resolution
This issue has been resolved in:
VMware vCenter Server 5.5 Update 1.
VMware vCenter Server 5.1 Patch 1.
To work around this issue, use one of these options:
- Log in without selecting the Use Windows Session Authentication option in the vSphere Client or the vSphere Web Client.
- When vCenter Single Sign On is installed on a Windows system, Active Directory users with custom suffixes must log into the vSphere Web Client or vSphere Client using their user name with the non-customized domain name as a suffix.
Feedback
Yes
No
Powered by
