Users cannot authenticate if there are spaces in the log in name when using VMware vCenter Server Appliance
search cancel

Users cannot authenticate if there are spaces in the log in name when using VMware vCenter Server Appliance

book

Article ID: 332299

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • The VMware vCenter Server Appliance is deployed and vCenter Single Sign-On is configured to use Integrated Windows Authentication for the Active Directory tenant.
  • User accounts that have a space in the user log in name in Active Directory, fail to log in to the vSphere Client or vSphere Web Client.
  • You see the error:

    Cannot complete login due to an incorrect username or password
    Provided credentials are not valid
     
  • In the /var/log/vmware/vpx/vpxd.log file, you see entries similar to:

    YYYY-MM--DDTHH:MM:SS.019Z [7F9C5357F700 info 'commonvpxLro' opID=A3C49B53-00000004-21] [VpxLRO] -- BEGIN task-internal-3454 -- -- vim.SessionManager.login -- e0a58369-a6e1-4311-c1f1-3c792f4dcdec
    YYYY-MM--DDTHH:MM:SS.020Z [7F9C5357F700 info '[SSO]' opID=A3C49B53-00000004-21] [UserDirectorySso] Authenticate(DOMAIN\example user, "not shown")
    YYYY-MM--DDTHH:MM:SS.117Z [7F9C5357F700 error '[SSO]' opID=A3C49B53-00000004-21] [UserDirectorySso] AcquireToken exception: N9SsoClient27InvalidCredentialsExceptionE(Authentication failed: Invalid credentials)
    YYYY-MM--DDTHH:MM:SS.117Z [7F9C5357F700 error 'authvpxdUser' opID=A3C49B53-00000004-21] Failed to authenticate user <DOMAIN\example user>
    YYYY-MM--DDTHH:MM:SS.121Z [7F9C5357F700 info 'commonvpxLro' opID=A3C49B53-00000004-21] [VpxLRO] -- FINISH task-internal-3454 -- -- vim.SessionManager.login --
    YYYY-MM--DDTHH:MM:SS.121Z [7F9C5357F700 info 'Default' opID=A3C49B53-00000004-21] [VpxLRO] -- ERROR task-internal-3454 -- -- vim.SessionManager.login: vim.fault.InvalidLogin:
    --> Result:
    --> (vim.fault.InvalidLogin) {
    --> dynamicType = <unset>,
    --> faultCause = (vmodl.MethodFault) null,
    --> msg = "",
    --> }
    --> Args:
    -->
    YYYY-MM--DDTHH:MM:SS.122Z [7F9C50AF9700 warning 'VpxProfiler' opID=A3C49B53-00000004-21-SWI-44637d9d] VpxUtil_InvokeWithOpId [TotalTime] took 30004 ms
     

In the /var/log/vmware/sso/vmware-sts-idmd.log file, you see entries similar to:

YYYY-MM--DD HH:MM:SS,111 ERROR [IdentityManager] Failed to authenticate principal [example user@DOMAIN] for tenant [vsphere.local]
YYYY-MM--DD HH:MM:SS,111 ERROR [ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: -1765328378][null][null]'
com.vmware.identity.idm.IDMLoginException: Native platform error [code: -1765328378][null][null]
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2334)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
YYYY-MM--DD HH:MM:SS,111 INFO [IdentityManager] Authentication failed for user

Cause

This issue occurs due to the special delimiter character used by the Likewise agent. When the Likewise agent communicates with the domain, it is designated to replace the spaces in the username with caret (^).

Resolution

To resolve this issue change the delimiter character in the Likewise agent to a space.


Ensure you have a backup or snapshot of the vCenter Server Appliance before proceeding.  

  1. Log in to the vCenter Server Appliance as root through SSH or console.
  2. Run these commands:

    /opt/likewise/bin/lwregshell set_value [HKEY_THIS_MACHINE\\Services\\lsass\\Parameters] SpaceReplacement " "

    /opt/likewise/bin/lwsm restart lsass
     
  3. Log in using the vSphere Client.

Notes:

  • If you have created an explicit permission in vCenter Server for the users, you have to delete and recreate the permission.
  • If you have created an implicit permission through Group permission, you should be able to sign in without any permission changes.

 

 

Powered by Wolken Software