Unable to login to vCenter using AD credentials - Invalid Credentials
search cancel

Unable to login to vCenter using AD credentials - Invalid Credentials

book

Article ID: 401065

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Error noticed on vCenter Events "Invalid credentials".
  • When you attempt to update password for Identity source, it fails with error "Check the network settings and make sure you have network access to the identity source"

  • /var/log/vmware/sso/websso.log :

    [YYYY-MM-DD] tomcat-http--4  XXXXXXXX INFO  auditlogger] {"user":"root","client":"xx.xx.xx.xxx","timestamp":"","description"
    :"User [email protected] failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"]
    [YYYY-MM-DD]  tomcat-http--4  XXXXXXXX ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.
    vmware.identity.samlservice.SamlServiceException
    [YYYY-MM-DD]  tomcat-http--4  XXXXXXXX ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: 401, message
    [YYYY-MM-DD]  tomcat-http--37  XXXXXXXX INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is
    en_US, tenant is vsphere.local
    [YYYY-MM-DD]  tomcat-http--37  XXXXXXXX INFO  com.vmware.identity.SsoController] Request URL is https://AD-DOMAIN/websso/SAML2/SSO/vsph
    ere.local
    [YYYY-MM-DD]  tomcat-http--37  XXXXXXXX INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: XXXXXXXX
    [YYYY-MM-DD]  tomcat-http--37  XXXXXXXX INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set is
    Proxying=false
    [YYYY-MM-DD]  tomcat-http--37  XXXXXXXX INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation suc
    ceeded
    [YYYY-MM-DD]  tomcat-http--37  XXXXXXXX ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.
    com.vmware.identity.idm.IDMLoginException: Login failed

  • /var/log/vmware/sso/ssoAdminserver.log : 

    [YYYY-MM-DD] pool-2-thread-38 opId=XXXXXXXX ERROR com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] cannot establish connection to null
    com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldaps://AD-DOMAIN:636 ]; tenantName [vsphere.local], userName [XXXXXXXX]

  • Running the following command to verify LDAP certificates and connectivity shows connected and loads certificate :

    openssl s_client -connect xx.xx.xx.xx:636 -showcerts
    CONNECTED(00000003)

    ping xx.xx.xx.xx -- PASS

Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Resolution

  • Take valid backup/snapshot of vCenter server (offline snapshots of vCenter server in ELM)
  • Note down/record all existing domain user and group permissions.
  • Remove existing identity source, re-add the identity source.
  • Re-add domain user and group permissions (once identity source is added successfully)

Refer : Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL

Powered by Wolken Software