Intermittent failures of backup service accounts connecting to vCenter with error 'Cannot complete login due to an incorrect user name or password'
search cancel

Intermittent failures of backup service accounts connecting to vCenter with error 'Cannot complete login due to an incorrect user name or password'

book

Article ID: 404748

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • Third-party backup jobs are intermittently failing with the below given error:    
Unable to connect to vCenter server [vcenter_name] as user [backup_service_account] from access node [backup_server]. [Cannot complete login due to an incorrect username or password.]
  • Despite the initial failure, the affected backup jobs often complete successfully when subsequently retried.
  • The vCenter Server is configured to use an Active Directory identity source with LDAP for authentication.
  • The "LDAPServerIntegrity" registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters) on the Active Directory server is found to have a value of "1".
  • In /var/log/vmware/sso/vmware-identity-sts.log you may see errors similar to: 
[YYYY-MM-DDTHH:MM:SS] WARN sts[47:tomcat-http--1] [CorId=######] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 8
[YYYY-MM-DDTHH:MM:SS] WARN sts[47:tomcat-http--1] [CorId=######] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldap://######, ######\\######]
[YYYY-MM-DDTHH:MM:SS] ERROR sts[47:tomcat-http--1] [CorId=######] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://######] because [com.vmware.identity.interop.ldap.StrongAuthRequiredLdapException] with reason [Strong(er) authentication required] therefore will try to attempt to use secondary URIs, if applicable
[YYYY-MM-DDTHH:MM:SS] ERROR sts[47:tomcat-http--1] [CorId=######] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.StrongAuthRequiredLdapException: Strong(er) authentication required\nLDAP error [code: 8]
[YYYY-MM-DDTHH:MM:SS] ERROR sts[47:tomcat-http--1] [CorId=######] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [######] for tenant [vsphere.local]
javax.security.auth.login.LoginException: Login failed
        at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.authenticate(LdapWithAdMappingsProvider.java:458) ~[libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3134) [libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:10530) [libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1303) [libvmware-identity-idm-client.jar:?]
        at com.vmware.identity.sts.idm.impl.AuthenticatorImpl.authenticate(AuthenticatorImpl.java:91) [libsts.jar:?]
        at com.vmware.identity.sts.auth.impl.UNTAuthenticator.authenticate(UNTAuthenticator.java:89) [libsts.jar:?]
        at com.vmware.identity.sts.auth.impl.CompositeAuthenticator.authenticate(CompositeAuthenticator.java:54) [libsts.jar:?]

Caused by: com.vmware.identity.interop.ldap.StrongAuthRequiredLdapException: Strong(er) authentication required
        at com.vmware.identity.interop.ldap.LdapErrorChecker$8.RaiseLdapError(LdapErrorChecker.java:141) ~[libvmware-identity-platform.jar:?]
        at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:1102) ~[libvmware-identity-platform.jar:?]
        at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1282) ~[libvmware-identity-platform.jar:?]

Environment

VMware vCenter Server 8.0.x

Cause

The "Strong(er) authentication required LDAP error [code: 8]" observed in the vmware-identity-sts.log is a direct error message originating from the Active Directory server. This error occurs when the vCenter Server, attempting to authenticate a user or service account (such as a backup service account), issues an LDAP bind request that does not meet the Active Directory server's required level of authentication security.

LDAP error code 8 explicitly signifies that the Active Directory server demands a stronger authentication method than what the vCenter Server is providing. Given that the vCenter Server is configured for "Active Directory over LDAP" (which typically implies an unencrypted, non-SSL/TLS LDAP connection), this error directly indicates a mismatch between the vCenter's client-side authentication method and the Active Directory server's enforced security policies.

This discrepancy is further confirmed by the LDAPServerIntegrity registry entry, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on the Active Directory server, which has a value of 1. This setting, as detailed in Microsoft's documentation (KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure - Microsoft Support), enforces stronger authentication, specifically requiring LDAP signing for incoming LDAP traffic. 

Resolution

To resolve the "Strong(er) authentication required LDAP error [code: 8]" and allow your backup service accounts to connect successfully, reconfigure your vCenter Server's Active Directory identity source to utilize LDAP over SSL (LDAPS).

KB for reference: Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

Powered by Wolken Software