Error : 'Unable to authenticate user' when logging in to VCF Operations for Logs 9.x using Active Directory users
Article ID: 440376
Updated On:
Products
VCF Operations
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
- When you attempt to log in to VCF Operations for Logs using Active Directory (AD) credentials, the login fails with the following error message:
Unable to authenticate user - Additionally, you may observe a red box error on the VCF Operations for logs Authentication configuration page when clicking on the Active Directory configuration. The status of the configuration will also intermittently change from enabled to disabled, or disabled to enabled.
- The
/storage/core/loginsight/var/runtime.logrecords the following error message:[WARN] [com.vmware.loginsight.aaa.ad.ActiveDirectoryValidator] [Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.; IllegalStateException: Cannot write application data until initial handshake completed.][WARN] [com.vmware.loginsight.prodcheck.lib.ActiveDirectoryCheck] [Wasn't able to authenticate to active directory]com.vmware.loginsight.commons.exceptions.AuthenticationException: Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.at com.vmware.loginsight.aaa.ad.ActiveDirectoryValidator.validateActiveDirectoryConnection(ActiveDirectoryValidator.java:109) ~[auth-lib.jar:?]Caused by: com.vmware.loginsight.commons.exceptions.AuthenticationException: Invalid or untrusted domain '<Domain_name>'.at com.vmware.loginsight.aaa.krb5.ActiveDirectoryQueryHelper.getActiveDirectoryConfigurationAttributes(ActiveDirectoryQueryHelper.java:972) ~[auth-lib.jar:?]at com.vmware.loginsight.aaa.ad.ActiveDirectoryValidator.validateActiveDirectoryConnection(ActiveDirectoryValidator.java:102) ~[auth-lib.jar:?]... 5 moreCaused by: javax.naming.NamingExceptionat com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) ~[?:?]Caused by: java.lang.IllegalStateException: Cannot write application data until initial handshake completed.at org.bouncycastle.tls.TlsProtocol.writeApplicationData(TlsProtocol.java:1005) ~[bctls-fips-2.0.19.jar:2.0.19]at org.bouncycastle.jsse.provider.ProvSSLSocketDirect$AppDataOutput.write(ProvSSLSocketDirect.java:630) ~[bctls-fips-2.0.19.jar:2.0.19]or[ERROR] [com.vmware.loginsight.database.dao.CACertificateDO] [Unable to close file output stream:]java.io.EOFException: no data in keystore streamat org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.engineLoad(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]at java.security.KeyStore.load(Unknown Source) ~[?:?][INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Loading truststore from path: /usr/java/jre-vmware/lib/security/cacerts][ERROR] [com.vmware.loginsight.database.dao.CACertificateDO] [Unable to get alias of certificate. no data in keystore stream][ERROR] [com.vmware.loginsight.database.dao.CACertificateDO] [Unable to get custom CA certificates after checkAndRestoreTruststore was called. no data in keystore stream][ERROR] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Failed to create trust manager]java.security.KeyStoreException: Failed to load default trust store
Environment
VCF Operations for Logs 9.x
Cause
This issue is caused by truststore corruption within VCF Operations for Logs. Truststore corruption often occurs during or after product upgrades, abrupt system shutdowns, or due to disk space exhaustion, leading to this abnormal authentication behavior.
Resolution
To resolve this issue,Replace the corrupted truststore file by following the detailed procedure outlined in Broadcom KB 325769.
Feedback
Yes
No
Powered by
