When adding an IWA (Integrated Windows Authentication) Identity Source to SSO in the Web Client, the name/alias of the Identity Source changes from what was used in the dialog once the page is refreshed.

Authentication fails for users with a permissions error similar to the following in the vpxd log:

YYYY-MM-DDTHH:MM:SS.info vpxd[56124] [Originator@6876 sub=Default opID=le38ohfi-129243-auto-2rq9-h5:70012167-df] [VpxLRO] -- ERROR lro-16912 -- SessionManager -- vim.SessionManager.loginByToken: vim.fault.NoPermission:

--> Result:
--> (vim.fault.NoPermission) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    object = 'vim.Folder:D1FDDC96-9E02-4DC8-A203-8F16DAE49308:group-d1',
-->    privilegeId = "System.View"
-->    msg = ""
--> }
--> Args:
-->
--> Arg locale:
--> "en"
 

Authentication may succeed if the user enters the full UPN for their account, but it fails when using just the username or "SHORT_NAME\User" format.

VMware vCenter Server 8.0
VMware vCenter Server 7.0.0
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x

The reason that the name changes is due to the fact that with IWA, SSO will gather the information from the domain.  The customer's configuration of AD and DNS can cause this issue to appear such that after adding the Identity Source, authentication is failing if not using the UPN.  This is because the domain of the user and the domain listed in SSO as the default Identity Provider is different.  This is not a VMware issue, but an issue with the configuration of the customer's environment.

Please open a support request with GS team, and we will assist in resolving this issue