Linux clients fail to SSO (via vIDM) to Aria Suite products with "Your username or password is incorrect" error
search cancel

Linux clients fail to SSO (via vIDM) to Aria Suite products with "Your username or password is incorrect" error

book

Article ID: 420012

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • When Linux users attempt to Single Sign-On (SSO) into Aria products via VMware Identity Manager (vIDM), the login fails, returning a generic "Your username or password is incorrect" error as shown in the screenshot below..

  • Logins from Windows client machines work without issue.

  • The issue occurs when FIPS (Federal Information Processing Standards) mode is enabled on the vIDM instance.

  • Relevant Log Errors:

    • The /opt/vmware/horizon/workspace/logs/horizon.log shows the SAML failure: Invalid SAML response. Cause: Received error SAML response

    • The /opt/vmware/horizon/workspace/logs/connector.log shows the FIPS cryptographic error: Fips error encountered during login of <username> : org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: salt must be at least 128 bits

Environment

  • vIDM 3.3.7

Cause

  • The issue is caused by a compatibility conflict between the cryptographic requirements of FIPS mode enabled on the vIDM instance and the authentication requests originating from Linux client machines.

  • The presence of the fips.mode file in the /usr/local/horizon/conf/flags/ directory confirms FIPS mode is active. The error message salt must be at least 128 bits in the connector.log is a direct result of the FIPS configuration failing a cryptographic check during the authentication process.

Resolution

To resolve the login failure while maintaining FIPS mode, Linux users must update their passwords.

  1. Users with passwords shorter than 14 characters must change their password to one that is 14 characters or longer.

Once the password meets the minimum length required by the FIPS cryptographic standard, the users will be able to log in successfully.

 

Workaround (If Password Change is Not Possible Immediately - Disables FIPS Mode)

To restore SSO functionality for Linux users, FIPS mode must be disabled on the vIDM appliance.

Steps to Disable FIPS Mode:

  1. SSH into the vIDM appliance.

  2. Move the FIPS mode flag file to a temporary directory:

    • mv /usr/local/horizon/conf/flags/fips.mode /opt/vmware/

  3. Restart the horizon-workspace service to apply the change:

    • service horizon-workspace restart

After the service restarts, users logging in from Linux client machines via vIDM SSO will be able to log in successfully.

Note: When troubleshooting vIDM clusters, ensure all nodes are configured identically (exact replicas).

Additional Information

  • To re-enable FIPS mode, move the fips.mode file back to the /usr/local/horizon/conf/flags/ directory:

    • mv /opt/vmware/fips.mode /usr/local/horizon/conf/flags/

Powered by Wolken Software