The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Unable to log in to vCenter Server with the vSphere Client or vSphere Web Client (2034798)
- A user who is a member of a local group on the Windows machine on which vCenter Server is installed might be unable to log in to vCenter Server using the vSphere Client or vSphere Web Client, even though the user's credentials are valid.
- Attempting to log in with the vSphere Client fails with one of these errors:
Cannot complete login due to an incorrect user name or password
The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.
CauseWhen SSO is installed on a Windows machine joined to a domain, identity sources are created for both the local machine users and the domain. When a domain user is authenticated, SSO attempts to retrieve the user's local groups. If SSO is unable to retrieve these groups, login fails with the errors listed in the Symptoms above even though the user's credentials were valid.
imsTrace.login the SSO support bundle for the string
NetUserGetLocalGroupsto determine the error returned by the
NetUserGetLocalGroupsfunction. If the string
NetUserGetLocalGroupsdoes not appear in the log file, the problem is not caused by the issue described in this article.
imsTrace.logfile, located at
C:\Program Files\VMware\Infrastructure\SSOServer\logs, is regularly backed up and overwritten. If the login error occurred at a time earlier than the earliest time stamp in the
imsTrace.logfile, inspect the backup log files.
- If the error code is 1722 and the error message is
The RPC server is unavailable, follow these steps:
- Verify the DNS configuration.
NetUserGetLocalGroupsuses the short name for the Windows server (for example,
myserver.example.com). If DNS is unable to resolve the short name for the Windows server, the call to
- Ensure that port 135 is accessible on your domain controller.
- Ensure that NetBios over TCP/IP is enabled in the TCP/IP v4 settings on the Windows server.
- Check for error messages in the Event Log.
- Verify the DNS configuration.
- If any other error code appears, see the MSDN reference for
NetUserGetLocalGroups, and take the appropriate action for the relevant error.
- Regardless of the cause of the
NetUserGetLocalGroupsfailure, removing the local identity source will allow domain users to log in. Before doing this, you must ensure that at least one domain user has full Administrator privileges for the vCenter Server. By default, only the local Administrators group has these privileges. Removing the local identity source causes local users to be unable to log into vCenter Server. All permissions associated with local users and groups will be deleted when vCenter Server is next restarted.
Note: It has been additionally reported that this issue may be resolved by adding the other forest/domain to the DNS suffix list of the NIC. All the domains must be added to the DNS suffix which are added as Identity sources.
For information on a related issue, see Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token (2043070).
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.