Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Unable to log in to vCenter Server with the vSphere Client or vSphere Web Client (2034798)

Details

Symptoms

  • A user who is a member of a local group on the Windows machine on which vCenter Server is installed might be unable to log in to vCenter Server using the vSphere Client or vSphere Web Client, even though the user's credentials are valid.

  • Attempting to log in with the vSphere Client fails with one of these errors:

    • Cannot complete login due to an incorrect user name or password
    • The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.

Cause

When SSO is installed on a Windows machine joined to a domain, identity sources are created for both the local machine users and the domain. When a domain user is authenticated, SSO attempts to retrieve the user's local groups. If SSO is unable to retrieve these groups, login fails with the errors listed in the Symptoms above even though the user's credentials were valid.

Solution

To resolve this issue, search the imsTrace.log in the SSO support bundle for the string NetUserGetLocalGroups to determine the error returned by the NetUserGetLocalGroups function. If the string NetUserGetLocalGroups does not appear in the log file, the problem is not caused by the issue described in this article.

Note: The imsTrace.log file, located at C:\Program Files\VMware\Infrastructure\SSOServer\logs, is regularly backed up and overwritten. If the login error occurred at a time earlier than the earliest time stamp in the imsTrace.log file, inspect the backup log files.
  • If the error code is 1722 and the error message is The RPC server is unavailable, follow these steps:

    • Verify the DNS configuration. NetUserGetLocalGroups uses the short name for the Windows server (for example, myserver instead of myserver.example.com). If DNS is unable to resolve the short name for the Windows server, the call to NetUserGetLocalGroups fails.
    • Ensure that port 135 is accessible on your domain controller.
    • Ensure that NetBios over TCP/IP is enabled in the TCP/IP v4 settings on the Windows server.
    • Check for error messages in the Event Log.

  • If any other error code appears, see the MSDN reference for NetUserGetLocalGroups, and take the appropriate action for the relevant error.
  • Regardless of the cause of the NetUserGetLocalGroups failure, removing the local identity source will allow domain users to log in. Before doing this, you must ensure that at least one domain user has full Administrator privileges for the vCenter Server. By default, only the local Administrators group has these privileges. Removing the local identity source causes local users to be unable to log into vCenter Server. All permissions associated with local users and groups will be deleted when vCenter Server is next restarted.

Note: It has been additionally reported that this issue may be resolved by adding the other forest/domain to the DNS suffix list of the NIC. All the domains must be added to the DNS suffix which are added as Identity sources.

For information on a related issue, see Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token (2043070).

Update History

01/22/2013 - Added the location of imsTrace.log file

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 12 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 12 Ratings
Actions
KB: