Symptoms

• A user who is a member of a local group on the Windows machine on which vCenter Server is installed might be unable to log in to vCenter Server using the vSphere Client or vSphere Web Client, even though the user's credentials are valid.
  
• Attempting to log in with the vSphere Client fails with one of these errors:
  
  
  • Cannot complete login due to an incorrect user name or password
  • The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.

Cause

When SSO is installed on a Windows machine joined to a domain, identity sources are created for both the local machine users and the domain. When a domain user is authenticated, SSO attempts to retrieve the user's local groups. If SSO is unable to retrieve these groups, login fails with the errors listed in the Symptoms above even though the user's credentials were valid.

VMware vCenter Server 5.1.x

To resolve this issue, search the imsTrace.log in the SSO support bundle for the string NetUserGetLocalGroups to determine the error returned by the NetUserGetLocalGroups function. If the string NetUserGetLocalGroups does not appear in the log file, the problem is not caused by the issue described in this article.

Note: The imsTrace.log file, located at C:\Program Files\VMware\Infrastructure\SSOServer\logs, is regularly backed up and overwritten. If the login error occurred at a time earlier than the earliest time stamp in the imsTrace.log file, inspect the backup log files.

• If the error code is 1722 and the error message is The RPC server is unavailable, perform these steps:
  
  
  • Verify the DNS configuration. NetUserGetLocalGroups uses the short name for the Windows server (for example, myserver instead of myserver.example.com). If DNS is unable to resolve the short name for the Windows server, the call to NetUserGetLocalGroups fails.
  • Ensure that port 135 is accessible on your domain controller.
  • Ensure that NetBios over TCP/IP is enabled in the TCP/IP v4 settings on the Windows server.
  • Check for error messages in the Event Log.
  
  
• If any other error code appears, see the MSDN reference for NetUserGetLocalGroups, and take the appropriate action for the relevant error.
• Regardless of the cause of the NetUserGetLocalGroups failure, removing the local identity source will allow domain users to log in. Before doing this, you must ensure that at least one domain user has full Administrator privileges for the vCenter Server. By default, only the local Administrators group has these privileges. Removing the local identity source causes local users to be unable to log into vCenter Server. All permissions associated with local users and groups will be deleted when vCenter Server is next restarted.

Note: It has been reported that this issue may be resolved by adding the other forest/domain to the DNS suffix list of the NIC. All the domains must be added to the DNS suffix which are added as Identity sources.

For information on a related issue, see Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token (2043070).

Additional Information

For translated versions of this article, see:

• 日本語: vSphere Client または vSphere Web Client を使用して vCenter Server にログインできない (2080149)
  
• 简体中文: 无法使用 vSphere Client 或 vSphere Web Client 登录到 vCenter Server (2101328)