Logging in to the vCenter Server with Use Sessions Credentials fails with the error: User name and password are required
search cancel

Logging in to the vCenter Server with Use Sessions Credentials fails with the error: User name and password are required

book

Article ID: 341703

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
When you log in to the vCenter Server in the vSphere Web Client, you experience these symptoms:
  • When you log in using Use Windows Sessions Authentication in the vSphere Web Client, you see the error:

    User name and password are required

  • In the %appdata%..\..\Local\VMware\CIP\csd\logs\csd.log file, you see entries similar to:
<YYYY-MM-DD>T<time> [TRIV] Message recieved [50100]: {"method":"getADUserName","requestId":"7","componentId":"sspi","createInstance":"true","sessionId":"EfmR-fTms-mGFQ-Bplj"} </time>
<YYYY-MM-DD>T<time> </time>[INFO] Request 7 - [sspi: 8088-jT99-8gEX-Xsia].getADUserName: Received.
<YYYY-MM-DD>T<time> </time>[TRIV] Message sent [50100]: {
"type": "result",
"statusCode": "OK",
"sessionId": "EfmR-fTms-mGFQ-Bplj",
"requestId": "7",
"requestComponentId": "sspi",
"requestObjectId": "8088-jT99-8gEX-Xsia",
"result": "<domain>\<user>",
"isFinal": "true"
}

[ YYYY-MM-DD <time></time>] [TRIV] Message recieved [50100]: {"providerName":"Negotiate","target":"HTTP/<vCenter_Server_FQDN>","method":"initialize","requestId":"11","componentId":"sspi","objectId":"8088-jT99-8gEX-Xsia","createInstance":"true","sessionId":"EfmR-fTms-mGFQ-Bplj"}
<YYYY-MM-DD>T<time> [INFO] Request 11 - [sspi: 8088-jT99-8gEX-Xsia].initialize: Received. </time>
<YYYY-MM-DD>T<time> 09:55:23] [TRIV] Message sent [50100]: { </time>
"type": "result",
"statusCode": "OK",
"sessionId": "EfmR-fTms-mGFQ-Bplj",
"requestId": "11",
"requestComponentId": "sspi",
"requestObjectId": "8088-jT99-8gEX-Xsia",
"result": "YIISAgYGKwYBBQUCoIIR9jCCEfKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwIC... ...",
"isFinal": "true"
}
  • In the %appdata%..\..\Local\VMware\CIP\ui\sessions\session_0000\logs\login_xxxx.log file, you see entries similar to:
<YYYY-MM-DD>T<time> Log initialized for websso login
</time><YYYY-MM-DD>T<time> onAppInit : using CIP Build 6.0.0.2488235
<YYYY-MM-DD>T<time> enableSspi : getting the userNamer for this logged on User
<YYYY-MM-DD>T<time> onGetADUserName : Username is <domain>\<user>
<YYYY-MM-DD>T<time> Login started for user : <domain>\<user>
<YYYY-MM-DD>T<time> Using Windows SSPI Authentication to login. spn is : [ HTTP/<vCenter_Server_or_Platform_Services_Controller_FQDN> ]
<YYYY-MM-DD>T<time> OnInitializeSSPI : base64SSPIToken is : YIISAgYGKwYBBQUCoIIR9jCCEfKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwIC
...
<YYYY-MM-DD>T<time> Error received during negotiation. Msg : [ Bad Request ]
<YYYY-MM-DD>T<time> did the login fail? if using SSPI - ensure the logged in user can login to the SSO service
<YYYY-MM-DD>T<time> Login started for user : <domain>\<user>
<YYYY-MM-DD>T<time> Using username password to login </time></time></time></time></time></time></time></time></time></time>
  • In the %ProgramData%/VMware/vCenterServer/runtime/VMwareSTSService/logs/ localhost_access_log.YYYY-MM-DD.txt or /storage/log/vmware/sso/ localhost_access_log.YYYY-MM-DD.txt file, you see entries similar to:
127.0.0.1 - - [<YYYY-MM-DD>T<time> -0700] "GET /websso/SAML2/SSO/vsphere.local?SAMLRequest=zZTNbtswEIT... HTTP/1.1" 400 -
127.0.0.1 - - [ </time><YYYY-MM-DD>T<time> -0700] "GET /websso/SAML2/SSO/vsphere.local?SAMLRequest=zZTNbtswEIT... HTTP/1.1" 200 24371 </time>
    • In the %ProgramData%/VMware/vCenterServer/runtime/VMwareSTSService/logs/ websso.log file or /storage/log/vmware/sso/ websso.log file, you see entries similar to:
    [ <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 INFO com.vmware.identity.SsoController] Server SPN is HTTP/<vCenter_Server_or_Platform_Services_Controller_FQDN>
    [ <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 DEBUG com.vmware.identity.samlservice.DefaultIdmAccessorFactory] DefaultIdmAccessorFactory constructor
    [     <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 DEBUG com.vmware.identity.samlservice.DefaultIdmAccessorFactory] DefaultIdmAccessorFactory getIdmAccessor
    [     <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] CasIdmAccessor constructor called
    [     <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] setTenant: vsphere.local
    [     <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] getBrandName
    [     <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 INFO com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null
    [     <YYYY-MM-DD>T<time> </time>-07:00 tomcat-http--23 DEBUG com.vmware.identity.samlservice.DefaultIdmAccessorFactory] DefaultIdmAccessorFactory constructor
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 DEBUG com.vmware.identity.samlservice.DefaultIdmAccessorFactory] DefaultIdmAccessorFactory getIdmAccessor
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] CasIdmAccessor constructor called
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] setTenant: vsphere.local
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] getLogonBanner
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 INFO com.vmware.identity.SsoController] Accessing Tenant vsphere.local, logon banner string null
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 DEBUG com.vmware.identity.SecurityRequestWrapperFilter] X-Forwarded-Proto set to https, so encapsulate it with secure request.
    ...
    [ YYYY-DD-MM>T<time>-07:00</time> tomcat-http--23 DEBUG com.vmware.identity.SecurityRequestWrapperFilter] X-Forwarded-Proto set to https, so encapsulate it with secure request.
    [ YYYY-DD-MM>T<time>-07:00</time> Thread-4 DEBUG com.vmware.identity.session.SessionCleanupWrapper] Check existing sessions
    [ YYYY-DD-MM>T<time>-07:00</time> Thread-4 DEBUG com.vmware.identity.session.impl.SessionManagerImpl] Returning all sessions
    • In the %ProgramData%/VMware/vCenterServer/runtime/VMwareSTSService/logs/catalina.YYYY-MM-DD.log file, you see entries similar to:

      <YYYY-MM-DD>T<time> INFO [tomcat-http--35] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
      </time>      Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
      <YYYY-MM-DD>T<time></time> INFO [tomcat-http--19] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
      Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
      <YYYY-MM-DD>T<time></time> INFO [tomcat-http--6] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
      Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
      <YYYY-MM-DD>T<time></time> INFO [tomcat-http--15] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
      Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
      <YYYY-MM-DD>T<time></time> INFO [tomcat-http--23] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
      Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.


      Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


    Environment

    VMware vCenter Server 6.0.x
    VMware vCenter Server Appliance 6.0.x

    Cause

    This issue occurs due to users authenticating with a high group count resulting in a large Security Support Provider Interface (SSPI) token that exceeds the default HTTP header size.

    Resolution

    This issue is resolved in VMware vCenter Server 6.0 U1b, available at VMware Downloads.

    To work around this issue in previous versions, increase the max HTTP header size within the Embedded vCenter Server or in the External Platform Services controller.
    Note: The configuration changes outlined below needs to be performed on the SSO server component. The SSO server can often be external to the vCenter Server itself. For example, external Platform Service controller, vRA identity appliance etc.

    To increase the max HTTP header size:

    For Windows Embedded vCenter Server or External Platform Services Controller:
    1. Make a remote desktop connection to the Windows Embedded vCenter Server or External Platform Services Controller.
    2. Open an explorer browser and navigate to:

      %ProgramData%\VMware\vCenterServer\runtime\VMwareSTSService\conf\

    3. Using a text editor, open the server.xml file and add the following under <Connector acceptCount </FONT>and <Connector SSLEnabled </FONT>

      <Connector acceptCount="100" </FONT>
      ...
      maxHttpHeaderSize="65536"
      ...
      redirectPort="${bio-custom.https.port}"/>
      <Connector SSLEnabled="true"<BR> acceptCount="200"
      ...
      maxHttpHeaderSize="65536"
      ...
      secure="true"/>

      Note: The entry is case sensitive. Alternatively, you can use a header size of 262144.

    4. Save and close the server.xml file.
    5. Restart the VMware Security Token Service .

    For vCenter Server Appliance or External Platform Services Controller Appliance:
    1. Log in to the vCenter Server Appliance or External Platform Services Controller Appliance via SSH.
    2. Run this command to enable access the Bash shell:

      shell.set --enabled true

    3. Type shell and press Enter.
    4. Navigate to:

      /usr/lib/vmware-sso/vmware-sts/conf

    5. Using vi , open server.xml file and add the following under <Connector acceptCount </FONT> and <Connector SSLEnabled<BR>
      <Connector acceptCount="100"<BR>       ...
       maxHttpHeaderSize="65536"
       ...
       redirectPort="${bio-custom.https.port}"/>
      <Connector SSLEnabled="true"<BR> acceptCount="200"
       ...
       maxHttpHeaderSize="65536"
       ...
       secure="true"/>

      Note: The entry is case sensitive. Alternatively, you can use a header size of 262144.

    6. Save and close the server.xml file.
    7. Restart the VMware Security Token Service by running this command:

      service-control --stop vmware-stsd
      service-control --start vmware-stsd

    After completing these steps, re-attempt to log in using Use Windows Session Credentials in the vSphere Web Client.


    Additional Information

    使用セッション認証情報を使用して vCenter Server にログインすると次のエラーで失敗する:ユーザー名とパスワードが必要です (User name and password are required)
    Falha ao registrar em log o vCenter Server com a opção Use Sessions Credentials com o erro: o nome de usuário e senha são obrigatórios
    Iniciar sesión en vCenter Server con Use Session Credentials falla y aparece el error: User name and password are required
    通过“使用会话凭据”登录到 vCenter Server 失败并显示错误:请输入用户名和密码 (User name and password are required)

    Powered by Wolken Software