Active Directory users were not able to login to the vCenter - "Cannot connect to vCenter Single Sign-On server https://vcfqdn/sts/STSService/vsphere.local" - vCenter 7.0u3
search cancel

Active Directory users were not able to login to the vCenter - "Cannot connect to vCenter Single Sign-On server https://vcfqdn/sts/STSService/vsphere.local" - vCenter 7.0u3

book

Article ID: 316509

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Users are getting the following error when authenticating using AD credentials in vCenter 7.0u3

Cannot connect to vCenter Single Sign-On server https://<VC FQDN>/sts/STSService/vsphere.local
  • local users can log in
  • Groups on AD can be searched from the vCenter
/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log: 
[YYYY-MM-DDTHH:MM:SS] [ERROR] http-nio-5090-exec-1 ######## ###### ###### com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler Error during authentication com.vmware.vcenter.apigw.ses
sion.SessionCreationException: Can't create a session for user {} with token {} because of failure to acquire a local delegated token
    at com.vmware.vcenter.apigw.session.frontend.impl.FrontendSessionManagerImpl.create(FrontendSessionManagerImpl.java:388)
    at com.vmware.vcenter.apigw.api.impl.ApiGatewaySessionManagerImpl.login(ApiGatewaySessionManagerImpl.java:39)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[YYYY-MM-DDTHH:MM:SS] [ERROR] http-nio-5090-exec-1 ######## ###### ###### com.vmware.vise.security.spring.DefaultAuthenticationProvider Authentication failure com.vmware.vise.security.spring.DefaultAuthenticationException: ssoFault=Cannot connect to vCenter Single Sign-On server https://<VC FQDN>/sts/STSService/vsphere.local.
    at com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler.authenticate(SsoAuthenticationHandler.java:228)
    at com.vmware.vise.security.spring.DefaultAuthenticationProvider.authenticate(DefaultAuthenticationProvider.java:353)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
    at com.vmware.vise.security.websso.WebssoAuthenticationProcessingFilter.attemptAuthentication(WebssoAuthenticationProcessingFilter.java:47)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:222)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103)

/var/log/vmware/vsphere-ui/logs/apigw.log 
YYYY-MM-DDTHH:MM:SS] [WARN ] agw-token-acq4 ######## ###### 200004 AsyncTokenProvider [] Token acquisition took too long: 59855 ms YYYY-MM-DDTHH:MM:SS] [INFO ] agw-token-acq6 ######## ###### 200006 SsoServiceImpl [] Acquiring token by token from domain vsphere.local(######-####-####-####-#############) from STS http:/
/localhost:1080/external-vecs/http1/<VC FQDN>/443/sts/STSService/vsphere.local. actAs={Name: user_1, Domain: ####.####.####.#####.###}, delegateTo=null, authz={Name: vsphere-webclient-######-####-####-####-############, Domain: vsphere.local} YYYY-MM-DDTHH:MM:SS [ERROR] http-nio-5090-exec-1 ######## ###### 200006 FrontendSessionManagerImpl [] Couldn't acquire a delegated HoK token for the local SSO domain while using token _######-
####-####-####-############ as an act-as token. Therefore, a front-end session can't be created com.vmware.vcenter.apigw.api.sso.tokenmgmt.TokenException: Failed to retrieve token for SSO domain vsphere.local(
########-####-####-####-###############)
    at com.vmware.vcenter.apigw.sso.tokenmgmt.impl.AsyncTokenProvider.doGetSamlToken(AsyncTokenProvider.java:461)
    at com.vmware.vcenter.apigw.sso.tokenmgmt.impl.AsyncTokenProvider.getSamlToken(AsyncTokenProvider.java:432)
    at com.vmware.vcenter.apigw.session.frontend.impl.FrontendSessionManagerImpl.create(FrontendSessionManagerImpl.java:378)
    at com.vmware.vcenter.apigw.api.impl.ApiGatewaySessionManagerImpl.login(ApiGatewaySessionManagerImpl.java:39)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:205)

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 7.0.3

Cause

STS service is unable to return the token in 30 seconds

Resolution

This issue is resolved in VMware vCenter Server 7.0 U3f build 20051473, available at Broadcom Downloads.

Workaround:
Increase the 30 seconds timeout for token acquisition to 2 minutes.
------------------------------------------------------------------------------------------------------------
1. Create a snapshot.
2. cd /usr/lib/vmware-vsphere-ui/plugin-packages/cis-data-service-plugin/plugins
3. Back-up original file to another directory. For example: cp api-gateway-server.war ~
4. unzip api-gateway-server.war
5. vi WEB-INF/spring/bundle-context.xml

6. Navigate to the line containing the string "tokenAcquisitionTimeout" (Press '/' type "tokenAcquisitionTimeout" and press 'Return')
You should see content like this: 
<constructor-arg index="6" value="30" /> <!-- tokenAcquisitionTimeout -->
<constructor-arg index="7" value="SECONDS" /> <!-- timeUnitForTokenAcquisitionTimeout -->
Modify the values to increase the timeout (Press `i` and then type the new values).
For example: 
<constructor-arg index="6" value="2" /> <!-- tokenAcquisitionTimeout -->
<constructor-arg index="7" value="MINUTES" /> <!-- timeUnitForTokenAcquisitionTimeout -->
7. You can increase one more timeout.
Navigate to the line containing the string
<bean id="backendServiceAuthenticator"
(Press '/', type 'id="backendServiceAuthenticator"' and press 'Return')
You should see content like this: 
<constructor-arg index="1" value="20" />        <!--  loginTimeout -->
<constructor-arg index="2" value="SECONDS" />   <!--  loginTimeoutUnit -->
<constructor-arg index="3" value="20" />        <!--  logoutTimeout -->
<constructor-arg index="4" value="SECONDS" />   <!--  logoutTimeoutUnit -->
Modify it to this: 
<constructor-arg index="1" value="2" />         <!--  loginTimeout -->
<constructor-arg index="2" value="MINUTES" />   <!--  loginTimeoutUnit -->
<constructor-arg index="3" value="2" />         <!--  logoutTimeout -->
<constructor-arg index="4" value="MINUTES" />   <!--  logoutTimeoutUnit -->

8. Save the modifications. (Press 'Esc' then type ":x" and then press 'Return')
9. rm api-gateway-server.war
10. zip -rm api-gateway-server.war META-INF WEB-INF
11. chmod 755 api-gateway-server.war
12. service-control --restart vsphere-ui
13. Once the service is up and running, the back up of the original file can be removed. For example: rm ~/api-gateway-server.war
------------------------------------------------------------------------------------------------------------
Note: It is very important the file permissions of api-gateway-server.war are 755 (rwxr-xr-x). Otherwise the login will not function at all.

Additional Information

Impact/Risks:
Active Directory users were unable to login to the vCenter

Powered by Wolken Software