Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token
search cancel

Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token

book

Article ID: 338815

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • You cannot log in to the vSphere Web Client or vSphere Client.
  • Logging in to the vSphere Web Client fails with this error:

    The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.

  • Logging in to the vSphere Client fails with this error:

    unknown user or bad password

  • The imsTrace.log file (located at C:\Program Files\VMware\Infrastructure\SSOServer\logs\) contains entries similar to:

    10:10:06,045, [example-7], (GroupAccessLocalIS.java:313), trace.com.rsa.ims.admin.dal.localis.PrincipalAccessLocalIS, DEBUG, vcenter.domain.local,,,,Lookup failure: [GroupInfo.c:254] NetUserGetLocalGroups failed: Access denied
    10:10:06,045, [example-7], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, vcenter.domain.local,,,,Error while trying to generate RequestSecurityTokenResponse com.rsa.common.UnexpectedDataStoreException: Unexpected Local OS exception Caused by: com.rsa.ims.localis.LocalisAccessError: Local O/S Identity Source Error: LOCALIS_STATUS_INTERNAL, extended error: 5 : [GroupInfo.c:254] NetUserGetLocalGroups failed: Access is denied

    at com.rsa.ims.localis.LocalisAccessHelper.throwAccessError(LocalisAccessHelper.java:756)
    at com.rsa.ims.localis.LocalisAccessHelper.getUserGroupsByName(LocalisAccessHelper.java:535)
    at com.rsa.ims.admin.dal.localis.GroupAccessLocalIS.getGroupsByName(GroupAccessLocalIS.java:353)
    at com.rsa.ims.admin.dal.localis.GroupAccessLocalIS.handleLookupError(GroupAccessLocalIS.java:325)


  • The vpxd.log contains entries similar to this:

    Authenticate(harms\vmware1, "not shown")
    2014-01-15T12:51:09.633-05:00 [10176 error '[SSO]' opID=8A85DD23-00000004-e1] [UserDirectorySso] AcquireToken SsoException: Unexpected SOAP fault: ns0:RequestFailed; request failed.
    2014-01-15T12:51:09.633-05:00 [10176 error 'authvpxdUser' opID=8A85DD23-00000004-e1] Failed to authenticate user


Environment

VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x

Cause

This issue occurs if there is a configuration problem related to the local operating system users and groups when you are using Active Directory (AD) users in local groups.

Resolution

To resolve this issue, review the configured Identity Sources for any incorrect entries. If all identity Sources are correct, remove the the localOS identity source from vCenter Server Single Sign-On (SSO).

Notes:
  • Before removing the localOS identity source from the SSO configuration, ensure that you have configured at least one domain user with administrative permissions.
  • When you remove the local operating system, its associated user permissions are removed from vCenter Server and the configured local users can no longer log into vCenter Server. This applies even if Domain Admins has local permissions on the vCenter Server machine.

To remove the localOS identity source from the SSO configuration:
  1. Log into the vSphere Web Client as the SSO administrator.
  2. Click Administration.
  3. Click Sign-On and Discovery.
  4. Click Configuration.
  5. Identify the Local Identity Source. The domain name should match the machine name.
  6. Right-click Local Identity Source and click Delete Identity Source.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box
Unable to log in to vCenter Server with the vSphere Client or vSphere Web Client
vCenter Server not listed in the inventory after installing or upgrading to vSphere 5.5 / 6.0
vSphere Web Client へのログインにエラー [ns0:RequestFailed: Internal Error while creating SAML 2.0 Token] で失敗する
登录 vSphere Web Client 失败并显示错误:ns0:RequestFailed: 创建 SAML 2.0 令牌时出现内部错误

Powered by Wolken Software