Logging into vCenter using VAMI or SSH using SSO admin account results in error "unable to authenticate user"
Article ID: 377558
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- Trying to login to vCenter VAMI\ssh using local SSO account "[email protected]" get below error.
- In /var/log/vmware/applmgmt/applmgmt.log you might see below log snippets.
- 2024-09-18T16:16:02 PM AEST [44966]DEBUG:vmware.appliance.vapi.auth:Requesting bearer token for '[email protected]'
- 2024-09-18T16:18:42 PM AEST [44966]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token
- Traceback (most recent call last):
File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validate
self.validate_certificate()
File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 700, in validate_certificate
'One or more certificates cannot be verified.') - vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certificates cannot be verified.
Environment
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Cause
This could occur due to expired STS certificate or multiple STS certs in STS certificate store due to which STS couldn't phrase the token for the user.
Resolution
- Take snapshot of VC, if VC is in ELM make sure to take offline snapshot of all VCs.
- SSH to vCenter using root credentials.
- Check STS certificate using Checking Expiration of STS Certificate on vCenter Servers
- If you see STS certificate as expired or more than 1 STS cert, refer below screenshot as a reference.
- Renew the STS cert using steps in Signing certificate is not valid" error in vCenter Server Appliance
Feedback
Yes
No
Powered by
