Active directory service account login fails with 'Invalid Credentials' error in vSphere Client.
search cancel

Active directory service account login fails with 'Invalid Credentials' error in vSphere Client.

book

Article ID: 385221

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Login to vSphere Client fails for active directory service account with error "Invalid Credentials".
  • The same user credentials works in any other vCenter server where the same active directory identity source is configured.
  • Below log snippets are observed in websso.log

[YYYY-MM-DDTHH:MM:SS] WARN websso[58:tomcat-http--19] [CorId=40cb0038-96b2-4a3b-8bb4-2db34567ea03] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 49
[YYYY-MM-DDTHH:MM:SS] WARN websso[58:tomcat-http--19] [CorId=40cb0038-96b2-4a3b-8bb4-2db34567ea03] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldap://example.com, CN=User,OU=it,OU=internal,DC=example,DC=com]
[YYYY-MM-DDTHH:MM:SS] ERROR websso[58:tomcat-http--19] [CorId=40cb0038-96b2-4a3b-8bb4-2db34567ea03] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://example.com] because [Invalid credentials] therefore will not attempt to use any secondary URIs
[YYYY-MM-DDTHH:MM:SS] ERROR websso[58:tomcat-http--19] [CorId=40cb0038-96b2-4a3b-8bb4-2db34567ea03] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [[email protected]] for tenant [vsphere.local]javax.security.auth.login.LoginException: Login failed

  • Packet capture confirms that the bind response from the AD is failing with error code 49 and data code 531.

Lightweight Directory Access Protocol
    LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 531, v3839)
        messageID: 1
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: invalidCredentials (49)
                matchedDN: 
                errorMessage: 80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 531, v3839

Environment

VMware vCenter Server

Cause

"Log On To" restriction is applied to the user account so the user cannot login to the vCenter Server machine.

 

Resolution

The LDAP error has error 49 and data code 531 means RESTRICTED_TO_SPECIFIC_MACHINES.

Indicates an Active Directory (AD) AcceptSecurityContext data error, that is, login failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.  

The error happened when the user account has "Log On To" selected as access to the following computers and vCenter is not a part of it.

Please check with the Administrator of Active Directory and make sure the user has login access to the vCenter server in the Active Directory user settings.

Powered by Wolken Software