"Unable to validate the submitted credential" login error when using vCenter Smartcard Authentication with IWA
search cancel

"Unable to validate the submitted credential" login error when using vCenter Smartcard Authentication with IWA

book

Article ID: 423864

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter is configured for Smartcard authentication using Integrated Windows Authentication (IWA).

Errors in /var/log/vmware/sso/websso.log:

YYYY-MM-DDT00:00:00.000Z WARN websso[63:tomcat-http--14] [CorId=######] [com.vmware.identity.idm.server.p
rovider.activedirectory.ActiveDirectoryProvider] There may be a domain join status change since native AD is configured. ActiveDirector
yProvider can function properly only when machine is properly joined

YYYY-MM-DDT00:00:00.000Z INFO websso[63:tomcat-http--14] [CorId=######] [com.vmware.identity.idm.server.p
rovider.activedirectory.ActiveDirectoryProvider] Failed to retrieve default UPN for principal UPN
com.vmware.identity.idm.InvalidPrincipalException: Principal id UPN does not exist

Caused by: com.vmware.identity.interop.accountmanager.AccountManagerNativeException: Native platform error [code: 40008][LW_ERROR_NO_SU
CH_USER][No such user]
        at com.vmware.identity.interop.accountmanager.LinuxAccountAdapter.lookupByUserName(LinuxAccountAdapter.java:323)
        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findUserPrincipalIdByAcctAdapter(ActiveDirec
toryProvider.java:1636)

YYYY-MM-DDT00:00:00.000Z ERROR websso[63:tomcat-http--14] [CorId=#####] [com.vmware.identity.idm.server.
provider.activedirectory.ActiveDirectoryProvider] Failed to retrieve user account flag for [UPN] via ldap
com.vmware.identity.interop.domainmanager.HostNotJoinedException: Local host is not joined.

Environment

vCenter 8.x

Cause

Integrated Windows Authentication requires vCenter to be Domain Joined for Active Directory ldap lookups of users.

Resolution

Join vCenter Server to the Active Directory domain to add the vCenter Server Integrated Windows Authentication (IWA) Active Directory Identity Source.

1) Using the vSphere Client, log in to vCenter Server as a user with administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by default).

2) Select Administration.

3) Expand Single Sign On and click Configuration.

4) Under the Identity Provider tab, click Active Directory Domain.

5) Click Join AD, enter the domain, optional organizational unit, and user name and password, and click Join.

6) Restart vCenter Server.

Additional Information

Removal of Integrated Windows Authentication

Who Is Affected?

If you have configured vCenter Server to access Active Directory over LDAP with TLS (LDAPS) or Identity Federation you will not be affected by this. You can check this by viewing your Identity Sources in the vSphere Client

Powered by Wolken Software