Logging into vCenter using VAMI or SSH using SSO admin account results in error "unable to authenticate user"
search cancel

Logging into vCenter using VAMI or SSH using SSO admin account results in error "unable to authenticate user"

book

Article ID: 377558

calendar_today

Updated On: 02-10-2025

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • Trying to login to vCenter VAMI or SSH using local SSO account "administrator@vsphere.local" get below error.
  • In /var/log/vmware/applmgmt/applmgmt.log you might see below log snippets.
2024-09-18T16:16:02 PM AEST [44966]DEBUG:vmware.appliance.vapi.auth:Requesting bearer token for 'administrator@vsphere.local'
2024-09-18T16:18:42 PM AEST [44966]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token
Traceback (most recent call last):
  File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validate
    self.validate_certificate()
  File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 700, in validate_certificate
    'One or more certificates cannot be verified.')
vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certificates cannot be verified.

 

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Cause

This could occur due to expired STS certificate or multiple STS certs in STS certificate store due to which STS couldn't phrase the token for the user.

Resolution

  • Take snapshot of VC, if VC is in ELM make sure to take offline snapshot of all VCs.
  • SSH to vCenter using root credentials.
  • Check STS certificate using Checking Expiration of STS Certificate on vCenter Servers 
  • If you see STS certificate as expired or more than 1 STS cert, refer below screenshot as a reference.