vCenter login fails with "Invalid Credential" when "Do not use Kerberos preauthentication" flag is enabled for active directory user
search cancel

vCenter login fails with "Invalid Credential" when "Do not use Kerberos preauthentication" flag is enabled for active directory user

book

Article ID: 316507

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Web client login to vCenter fails with "Invalid Credential".
  • In the websso.log, you see entries similar to:

[2019-05-10T12:28:00.720+12:00 tomcat-http--37 domain.local ########-####-####-####-########a4ee ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.
com.vmware.identity.idm.IDMLoginException: Native platform error [code: -1073741809][null][null]
        at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:124) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9757) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) ~[vmware-identity-idm-client-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java
:95) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:123) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:43) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]
        at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:89) [websso-7.0.0.jar:?]
        at com.vmware.identity.SsoController.sso(SsoController.java:100) [websso-7.0.0.jar:?]
        at sun.reflect.GeneratedMethodAccessor169.invoke(Unknown Source) ~[?:?]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_202]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_202]

[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             ########-####-####-####-########a4ee INFO  auditlogger] {"user":"[email protected]","client":"xx.xx.xx.xx","timestamp":"05/10/2019 12:28:00 NZST","description":"User [email protected]@<ip addr> failed to log in with response code 401","ev
entSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             ########-####-####-####-########a4ee ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException
[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             ########-####-####-####-########a4ee INFO  com.vmware.identity.samlservice.impl.SAMLAuthnResponseSender] Responded with ERROR 401 message Invalid credentials
[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             ########-####-####-####-########a4ee INFO  com.vmware.identity.BaseSsoController] End processing SP-Initiated SSO response. Session was created.
[2019-05-10T12:28:19.959+12:00 tomcat-http--18 domain.local             ########-####-####-####-########420c INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_GB, tenant is domain.local
[2019-05-10T12:28:19.959+12:00 tomcat-http--18 domain.local             ########-####-####-####-########420c INFO  com.vmware.identity.SsoController] Request URL is https://v-vcs-psc.vmware.com/websso/SAML2/SSO/domain.local
[2019-05-10T12:28:20.005+12:00 tomcat-http--18 domain.local             ########-####-####-####-########4f90 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false
[2019-05-10T12:28:20.012+12:00 tomcat-http--18 domain.local             ########-####-####-####-########4f90 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded
[2019-05-10T12:28:20.018+12:00 tomcat-http--18 domain.local             ########-####-####-####-########4f90 INFO  com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] Failed to retrieve default UPN for principal [email protected]
com.vmware.identity.idm.InvalidPrincipalException: Principal id [email protected] does not exist

  • "Do not use Kerberos preauthentication" flag is set to enabled in Active Directory.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x

Resolution

To resolve this issue, uncheck  the option "Do not require Kerberos preauthentication" flag from Active Directory.

 


Powered by Wolken Software