"Access Denied" When Logging into vIDM
search cancel

"Access Denied" When Logging into vIDM

book

Article ID: 369107

calendar_today

Updated On:

Products

VMware Aria Suite VMware

Issue/Introduction

  1. When authentication is using with AD domain user and password, end-users may see an error message “Access Denied”.
  2. Third-party SAML2 identity provider, and when attempt to authenticate with this provider receive an "Access Denied" message along with "Unable to authenticate the user."

Error: 
Getting "Access denied. Access denied. unable to authenticate the user" error while trying to login with Domain user/Third-party SAML2 identity provider

Environment

VMware Identity Manager 3.3.x

Cause

Administrators get "Access Denied" when trying to login into vIDM console either using AD domain or System domain. and this usually an indication that either Access Policy is not set correctly, or Identity Provider is incorrectly set up.

Resolution

Option 1:

If you get  "Access Denied" using Web browser then in access policy, make sure you have Web Browser access policy, and first policy set as Password (cloud deployment) [outbound] or Password [inbound] or Certificate (cloud deployment). Also, one of the fallback methods should be Password (local directory).

If you get "Access Denied" using anything other than Web browser then in access policy, make sure you have first policy set as Password (cloud deployment) [outbound] or Password [inbound] or Certificate (cloud deployment) or Mobile SSO. Make sure none of the fallback is set to Password (local Directory) as other policies are designed for Active Directory users only and Password (local directory) cannot use AD credential to log in.

 

Option 2:

  • Correct the default policy to "password" and fall back as "password local directory".
  • Check if authAdapter is disable for any nodes.(note as a problematic connector). Go to Setup -> worker ID ->authAdapter -> passwrdIdpAdaptor
  • Remove problematic connector from IDP  and re-add  them again to make authAdapter enabled. 

 

Option 3:

  • Try create new policy for SAML IDP with SAML2Password with set as for any Device type and first authentication using with Password. Fallback is set to SAML2password and Password (local Directory) as other policies are designed for Active Directory users only, third-party SAML2 IDP and Password (local directory) to use AD credential to log in.
  • Move the newly created policy at the top and check Login with  SAML identity provider.

Powered by Wolken Software