VIDM users are prompted for username and password after applying patch CSP-97577, CSP-102547, or later
search cancel

VIDM users are prompted for username and password after applying patch CSP-97577, CSP-102547, or later

book

Article ID: 408521

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Kerberos is configured for VIDM prior to applying patch CSP-97577, CSP-102547, or later.
  • Users are now prompted to enter username and password when signing in with their VIDM user
  • RC4 has been disabled domain wide for security reasons on the Active Directory
  •  /opt/vmware/horizon/workspace/logs/workspace.log shows errors similar to: 
    2025-08-24T10:18:01,343 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Initiating authentication using Kerberos
2025-08-24T10:18:01,345 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Kerberos authentication failure: null
2025-08-24T10:18:01,346 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Cause: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)
2025-08-24T10:18:01,346 INFO : com.vmware.horizon.connector.utils.SamlAssertionGeneratorUtil - Returning a saml failure response.

Environment

VIDM 3.3.7

Resolution

Set the msDS-SupportedEncryptionTypes attribute on the vIDM’s computer object in ActiveDirectory to enforce an encryption type.

Check Encryption in Active Directory:

Command : PS C:\Users\Administrator> Get-ADComputer "<Computer Object Name>" -Properties msDS-SupportedEncryptionTypes

If no value is returned for "msDS-SupportedEncryptionTypes" you can set it by using the below command: 

Set Encryption in AD :

Command : PS C:\Users\Administrator> Set-ADComputer "<Computer Object Name>" -Replace @{'msDS-SupportedEncryptionTypes'=24}

After this you should see Login success in Kerberos in opt/vmware/horizon/workspace/logs/workspace.log

 

2026-04-15T09:21:43,406 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Initiating authentication using Kerberos
2026-04-15T09:21:43,415 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Authentication SUCCESS: Administrator

 

If there are are still issues after configuring the encryption to 24 in Active Directory it is recommended to leave the domain with the computer object and then rejoin the domain before applying the above steps once more. Leaving and joining the domain should be done from the vIDM UI. Go to: Identity and Access Management > Setup > Connectors.

Note that if the domain is rejoined it will also be necessary to re-enable Kerberos in the auth-adapter as it is disabled by default on leaving the domain. 

Configuring and Enabling the Kerberos Authentication Adapter

Powered by Wolken Software