Logging in to the vCenter Server Appliance fails with the error: Failed to authenticate user
search cancel

Logging in to the vCenter Server Appliance fails with the error: Failed to authenticate user

book

Article ID: 313931

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When logging in to the vCenter Server Appliance fails with the "Failed to authenticate user" error, ensure that the time is in sync between the vCenter Server machine, the domain controller in the domain it is joined to, and all domain controllers in the trusted domains to resolve this issue.

Symptoms:

  • Logging in to the vCenter Server Appliance Web Client and / or vSphere Client fails with the error:

    Failed to authenticate user
     
  • In the vmware-vpx/vpxd.log ( vCenter Server ) or vpxd/vpxd.log ( vCenter Server Appliance) file, the see entries similar to:

    YYYY-MM-DDT<time> info vpxd[7F80D2952700] [Originator@6876 sub=vpxLro opID=27db3f4e] [VpxLRO] -- BEGIN task-internal-1547326 -- SessionManager -- vim.SessionManager.login -- ########-####-####-####-########e4a3
    YYYY-MM-DDT<time> error vpxd[7F80D2952700] [Originator@6876 sub=[SSO] opID=27db3f4e] [UserDirectorySso] AcquireToken exception: N9SsoClient27InvalidCredentialsExceptionE(Authentication failed: Invalid credentials)
    YYYY-MM-DDT<time> error vpxd[7F80D2952700] [Originator@6876 sub=User opID=27db3f4e] Failed to authenticate user <DOMAIN\Username>
    YYYY-MM-DDT<time> info vpxd[7F80D2952700] [Originator@6876 sub=vpxLro opID=27db3f4e] [VpxLRO] -- FINISH task-internal-1547326
    YYYY-MM-DDT<time> info vpxd[7F80D2952700] [Originator@6876 sub=Default opID=27db3f4e] [VpxLRO] -- ERROR task-internal-1547326 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin

    --> Result:
    --> (vim.fault.InvalidLogin) {
    --> faultCause = (vmodl.MethodFault) null,
    --> msg = ""
    --> }
    --> Args:
    -->
    --> Arg userName:
    --> "DOMAIN\Username"
    --> Arg password:
    --> (not shown)
    -->
    --> Arg locale:
    --></time></time></time></time></time>
     
  • In the C:/ProgramData/VMware/vCenterServer/logs/sso/vmware-sts-idmd.log file, the entries similar to:

    Native platform error [code: 40087][LW_ERROR_CLOCK_SKEW][Clock skew detected with active directory server]

    and/or:

    [YYYY-MM-DDT<time> vsphere.local ########-####-####-####-########6ede ERROR] [IdentityManager] Failed to authenticate principal [Username@DOMAIN] for tenant [vsphere.local]
    com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: -1765328347][null][null]

    </time>

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on the environment.



Environment

VMware vCenter Server 6.x

Cause

This issue occurs when:
  • There is a time skew between the vCenter Server machine and the domain controller in the domain the Appliance is joined to, or any of the domain controllers that this domain controller trusts.
  • There are slow responses from Active Directory for authentication requests in Identity Manager.
  • Identity Manager itself is running slowly on the vCenter machine due to high CPU and/or memory usage.

 

Resolution

To resolve this issue, ensure that the time is in sync* between the vCenter Server machine, the domain controller in the domain it is joined to, and all domain controllers in trusted domains.

* Time in Sync - ensure the time is the same on all communicating machines - VC, PSC, DC's etc

Powered by Wolken Software