• Unable to log in with the Local SSO Admin account, receiving an HTTP 400 response after entering credentials.
  
  
• Domain users are able to log in successfully.
  
  
• The administrator account works fine for logging into VAMI and SSH access to vCenter, confirming that credentials are not the issue.
  
  
• Other user accounts may also experience the same issue, even though their credentials are correct.

VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

• The following log snippets confirm successful authentication and token validation:

/var/log/vmware/sso/websso.log
<YYYY-DD-MM> <HH:MM:SS> INFO websso[xx:tomcat-http--xx] [CorId=xxxxx-xxxxx-xxxxx-xxxxxx] [auditlogger] {"user":"[email protected]","client":"xx.xx.xx.xxx", "timestamp":"<YYYY-DD-MM> <HH:MM:SS> GMT", "description":"User [email protected]@xx.xx.xx.xxx logged in with response code 200", "eventSeverity":"INFO","type":"com.vmware.sso.LoginSuccess"} 
<YYYY-DD-MM> <HH:MM:SS> INFO websso[xx:tomcat-http--xx] [CorId=xxxxx-xxxxx-xxxxx-xxxxxx] [com.vmware.identity.samlservice.impl.SAMLAuthnResponseSender] Posting successful authentication response to: https://vcenter.mydomain.com/ui/saml/websso/metadata

• The log snippets provided below indicate a permission issue related to the group membership of the account:

/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

[<YYYY-DD-MM> <HH:MM:SS> [INFO ] p-nio-127.0.0.1-5090-exec-10 xxxxxx xxxxxx ###### com.vmware.vsphere.client.security.websso.LogonProcessorImpl      Websso authentication successful.
[<YYYY-DD-MM> <HH:MM:SS> [INFO ] p-nio-127.0.0.1-5090-exec-10 xxxxxx xxxxxx ###### com.vmware.vsphere.client.security.websso.LogonProcessorImpl      Parsing the XML token
[<YYYY-DD-MM> <HH:MM:SS> [WARN ] p-nio-127.0.0.1-5090-exec-10 xxxxxx xxxxxx ###### com.vmware.vsphere.client.security.websso.LogonProcessorImpl      WebSSO token validation failed. Refreshing STS certificates and retrying.
[<YYYY-DD-MM> <HH:MM:SS>] [ERROR] p-nio-127.0.0.1-5090-exec-10 xxxxxx xxxxxx ###### com.vmware.vsphere.client.security.websso.LogonProcessorImpl      Error when processing the success websso authn message com.vmware.vim.sso.client.exception.MalformedTokenException: Cannot parse group information

Caused by: com.vmware.identity.token.impl.exception.ParserException: Invalid principal value: `vsphere.local\mydomain\mygroup' (incorrect number of fields)
        at com.vmware.identity.token.impl.PrincipalIdParser.splitInTwo(PrincipalIdParser.java:83)
        at com.vmware.identity.token.impl.PrincipalIdParser.parseGroupId(PrincipalIdParser.java:58)
        at com.vmware.identity.token.impl.SamlTokenImpl.parseGroup(SamlTokenImpl.java:1262)
        at com.vmware.identity.token.impl.SamlTokenImpl.parseAttributeStatement(SamlTokenImpl.java:1216)
        ... 181 common frames omitted

• Upon examining the LDIF (Steps to Generate LDIF), it has been determined that the issue is due to an invalid Canonical Name for the group, resulting from incorrect syntax in the group's name.

  dn: CN=mydomain\mygroup,dc=vsphere,dc=local
  objectClass: top
  objectClass: group
  name: mydomain\mygroup
  cn: mydomain\mygroup
  sAMAccountName: mydomain\mygroup
  groupType: 2
  nTSecurityDescriptor::xxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-x-x-------x-xxxxx
  member: cn=Administrator,cn=Users,dc=vsphere,dc=local

Steps to Remove the Local SSO Admin User from an In-valid Group

• Do not proceed without a Snapshot (Powered-On for Standalone vCenter and Powered-Off for all vCenter Server's part of same SSO and in ELM) and consolidate snapshot using DeleteALL option once the issue is resolved.
  
  
• Access the vCenter server via SSH.
  
  
• In the /tmp directory of the vCenter server, create a file named remove.sh with the following command:

  touch /tmp/remove.sh

• Use the vi editor or any preferred text editor to open and edit the remove.sh file. Paste the following script into the file:

/opt/likewise/bin/ldapmodify -x -h localhost -p 389 -D 'cn=Administrator,cn=Users,dc=vsphere,dc=local' -W  << EOF
dn: CN=mydomain\mygroup,dc=vsphere,dc=local
delete: member
member: cn=Administrator,cn=Users,dc=vsphere,dc=local
EOF

Note,  Replace CN=mydomain\mygroup,dc=vsphere,dc=local with the actual DN for the Group and replace vsphere.local with the Local SSO Domain of vCenter if its anything different

• Provide execution permissions to the remove.sh script with the following command:

chmod +x /tmp/remove.sh

• Run the script using:

  ./remove.sh

Note, Prompted for the password of the [email protected] account.

• To apply the changes, restart all vCenter services by running:

service-control --stop --all && service-control --start --all

•  This should resolve the immediate login issue for the Local SSO Admin user.

Steps to Clean Up In-valid Groups:

After resolving the login issue, the groups may remain inactive in the VMDIRD. To prevent future issues, delete any incorrectly created groups or groups with invalid schema.

Delete the group using one of the following methods:

1. Do not proceed without a Snapshot (Powered-On for Standalone vCenter and Powered-Off for all vCenter Server's part of same SSO and in ELM) and consolidate snapshot using DeleteALL option once the issue is resolved.
   
   
2. Using JXplorer: Open the invalid group in JXplorer and delete it manually.
   
   
3. Using ldapdelete: Run the ldapdelete command to delete the group:

ldapdelete -x -h localhost -p 389 -D 'cn=Administrator,cn=Users,dc=vsphere,dc=local' -W "CN=mydomain\mygroup,dc=vsphere,dc=local"

Note,  Replace CN=mydomain\mygroup,dc=vsphere,dc=local with the actual DN for the Group and replace vsphere.local with the Local SSO Domain of vCenter if its anything different

By removing these invalid groups, future login issues will be prevented.

The group names appear to be formatted for Active Directory (AD) rather than the vSphere.local domain.

It is likely that these groups were created with incorrect LDAP syntax during their initial configuration. Specifically, Active Directory typically uses a backslash (\) in the group’s Distinguished Name (DN) to denote domain and group hierarchy, while vCenter's local SSO domain (vSphere.local) requires a specific LDAP syntax that aligns with its internal structure and schema. This discrepancy can lead to improper group recognition and authentication issues within vCenter.

It is crucial to exercise caution when interacting with LDAP databases, as improper modifications can have a serious impact on the stability and security of vCenter. Changes to the LDAP schema or user/group mappings can disrupt authentication mechanisms and potentially compromise system integrity.

Should you require assistance with the steps outlined in the Resolution Section, please contact Broadcom Support for further guidance.