ERROR: "unable to authenticate user"
search cancel

ERROR: "unable to authenticate user"

book

Article ID: 377558

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Trying to login to vCenter VAMI or SSH using local SSO account "[email protected]" can result in one of the following errors below: 
    unable to authenticate user
User name and password are required"

     

  • In /var/log/vmware/applmgmt/applmgmt.log you might see below log snippets.
YYY-MM-DDTHH:MM:SS [44966]DEBUG:vmware.appliance.vapi.auth:Requesting bearer token for '[email protected]'
YYY-MM-DDTHH:MM:SS [44966]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token
Traceback (most recent call last):
  File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validate
    self.validate_certificate()
  File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 700, in validate_certificate
    'One or more certificates cannot be verified.')
vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certificates cannot be verified.
  • In /var/log/vmware/sso/websso.log you might see below log snippets.
[YYYY-MM-DDTHH:MM:SS tomcat-http--18 vsphere.local ########-####-####-####-############ INFO  com.vmware.identity.SsoController] Responded with ERROR 400, message BadRequest, Signing certificate is not valid at <Current Date>, cert validity: TimePeriod [startTime=<Date>, endTime=<Date>] com.vmware.identity.saml.UnsupportedTokenLifetimeException: Signing certificate is not valid at <Current Date>, cert validity: TimePeriod [startTime=<Date>, endTime=<Date>]
   
[YYYY-MM-DDTHH:MM:SS tomcat-http--29 vsphere.local ########-####-####-####-############ WARN  com.vmware.identity.samlservice.SamlValidator.ValidationResult] Encountered status code that is not localized. No message found under code 'BadRequest.Signing certificate is not valid at <Current Date>, cert validity: TimePeriod [startTime=<Date>, endTime=<Date>]' for locale 'en_US'.

Environment

7.x
8.x

Cause

This could occur due to expired STS certificate or multiple STS certs in STS certificate store due to which STS couldn't phrase the token for the user.

Resolution

Use the new improved certificate management tool  vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow. 

  1. Download and install vCert on the vCenter Server Appliance as described in Installation Section.
  2. Checking the STS signing certificate.
    1. Use Option 7 -  View STS signing certificates  from the menu 2: View Certificate Info
  3. Replacing STS signing certificate.
    1. Use the Option 7 - STS signing certificates from the menu 3: Manage Certificates.
Powered by Wolken Software