Windows Session Authentication Login account fails with Invalid Credentials error after upgrading vCenter Server to 6.5 U3 or vCenter Server 6.7 U3
search cancel

Windows Session Authentication Login account fails with Invalid Credentials error after upgrading vCenter Server to 6.5 U3 or vCenter Server 6.7 U3

book

Article ID: 318557

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • SSPI login or login with "Windows Session Authentication" fails after upgrading vCenter Server 6.5U3 on Windows Server
  • In CIP session log - %AppData%\Local\VMware\CIP\6.5.0\ui\sessions\session_xxxx\logs\login_xxxx.log, you see entries similar to : 

YYYY-MM-DD 14:44:30.548573 Log initialized for websso login
YYYY-MM-DD 14:44:30.548573 onAppInit : using CIP Build 6.5.0.7649148
YYYY-MM-DD 14:44:33.605753 enableSspi : getting the userNamer for this logged on User
YYYY-MM-DD 14:44:35.514878 onGetADUserName : Username is COMP\Administrator
YYYY-MM-DD 14:44:57.083094 Login started for user : COMP\Administrator
YYYY-MM-DD 14:44:57.084096 Using Windows SSPI Authentication to login. spn is : [ ]
YYYY-MM-DD 14:44:57.217098 Error received during negotiation. Msg : [ Invalid credentials ]
YYYY-MM-DD 14:44:57.218104 did the login fail? if using SSPI - ensure the logged in user can login to the SSO service

  • In the SSO log -  %ProgramData%\VMware\vCenterServeruntime\VMwareSTSService\logs\websso.log, you see entries similar to :

[YYYY-MM-DDT14:44:57.102-08:00  tomcat-http--39  ########-####-####-####-########8253 INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.local

[YYYY-MM-DDT14:44:57.102-08:00  tomcat-http--39  ########-####-####-####-########8253 INFO  com.vmware.identity.SsoController] Request URL is https://COMP/websso/SAML2/SSO/vsphere.local

[YYYY-MM-DDT14:44:57.185-08:00  tomcat-http--39  ########-####-####-####-########441c INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _e21d69060f7be30001afde25e3d4a43d

[YYYY-MM-DDT14:44:57.190-08:00  tomcat-http--39  ########-####-####-####-########441c INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[YYYY-MM-DDT14:44:57.203-08:00  tomcat-http--39  ########-####-####-####-########441c INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[YYYY-MM-DDT14:44:57.212-08:00  tomcat-http--39  ########-####-####-####-########441c INFO  auditlogger] {"user":"","client":"10.109.40.80","timestamp":"11/18/2019 14:44:57 PST","description":"User @10.109.40.80 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

[YYYY-MM-DDT14:44:57.212-08:00  tomcat-http--39  ########-####-####-####-########441c ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException

[YYYY-MM-DDT14:44:57.213-08:00  tomcat-http--39  ########-####-####-####-########441c ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: 401, message

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

 

Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x

Cause

This issue is due to Base64 chunk encoding error which is seen post upgrading OpenSAML from version 2.6 to 3.2 in vCenter server 6.5 U3.

Resolution

This issue is resolved in vCenter Server 6.7 U3g, available at Broadcom Downloads.
This issue is resolved in vCenter Server 6.5 U3k, available at Broadcom Downloads.


Workaround:

To workaround the issue enter user credentials manually to authenticate. 

 

Powered by Wolken Software