Logging in to vCenter Server through the vSphere Web Client or vSphere Client with NETBIOS domain format fails with the error: Cannot complete login due to an incorrect user name or password
search cancel

Logging in to vCenter Server through the vSphere Web Client or vSphere Client with NETBIOS domain format fails with the error: Cannot complete login due to an incorrect user name or password

book

Article ID: 336161

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Cannot log in to vCenter Server through the vSphere Web Client or vSphere Client with NETBIOS domain

  • Logging in to vCenter Server through the vSphere Web Client or vSphere Client with NETBIOS domain format Domain\User fails

  • You see the error:

    Cannot complete login due to an incorrect user name or password.
  • Users can successfully log in with the UPN format [email protected].

  • Identity Sources are configured to use Active directory over LDAP

  • In the C:\ProgramData\VMware\CIS\logs\vmware-sso\vmware-sts.idmd.log file, you see entries similar to

    <YYYY-MM-DD>T<time>ERROR [IdentityManager] Failed to authenticate principal [broken_user@good] for tenant [vsphere.local]
    javax.security.auth.login.LoginException: Login failed
    at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.authenticate(LdapWithAdMappingsProvider.java:327)
    at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2412)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
    at sun.rmi.transport.Transport$1.run(Unknown Source)
    at sun.rmi.transport.Transport$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Caused by: com.vmware.identity.idm.InvalidPrincipalException: Failed to find Principal id : {Name: broken_user, Domain: good}</time>
 


Environment

VMware vCenter Server 5.5.x

Cause

This issue occurs due to alternate UPN suffixes being set up incorrectly in the Windows Active directory.

Resolution

To resolve this issue, perform one of these steps:
  • Remove the Alternate UPN Suffixes that have the same name as the NETBIOS domain name in a child domain, that is added to SSO.
  • The Alternate UPN Suffixes redirect incorrectly and need to be updated.
  • Use the full UPN name to log in ([email protected]).