Knowledge Base
Active Directory users with customized UPN user names cannot use Windows session credentials to log into the vSphere Client or vSphere Web Client (2036529)
Symptoms
- You cannot log into the vSphere Web Client.
- You cannot log into the vSphere Client.
- vCenter Single Sign On is installed on a Windows system.
- The
Use Windows Session Authenticationoption is selected during login. - Attempting to log in using the vSphere Client or vSphere Web Client fails with the pop-up message:
Provided credentials are not valid
Cause
alice@company.com can be customized to be alice@sales.company.com.Active Directory users with these custom suffixes cannot log into the vSphere Web Client using Windows session credentials when vCenter Single Sign On is installed on a Windows system.
- For example, in the
imsRuntimeAudit.logfile located inC:\Program Files\VMware\Infrastructure\sso server\, you see messages similar to:2012-09-21 07:28:30,570, 1ed8d6200100007f06edfadabc610d7a,05c709320100007f21453d728d1866b0,,
127.0.0.1,STS_TOKEN_ISSUE_EVENT,40001,FAIL,AUTHN_PRINCIPAL_NOT_FOUND,,SYSTEM,SYSTEM,
SYSTEM,testuser@domain,SYSTEM,SYSTEM,,,,,,,,,,,,,,,,,,,,
2012-09-24 16:54:27,315,23105af20100007f2e3cf0f6af381ceb,05c709320100007f21453d728d1866b0,
,127.0.0.1,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,
1e0233bc0100007f67a934d5b646d074xE67y40+yxP,2263ca5e0100007f336bd4205d18be85,
1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser,testuser,
vmuser,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,,
Later on, you see the session returnstestuser@DOMAIN.LOCALinstead oftestuser@domain. This indicates that the domain name is not following UPN standards, and can cause the session to not be accepted by the vSphere client or web client.
- Following the session, you notice the domain name change:
2012-09-24 16:54:31,573,20e255360100007f66b9915ad8b4edaf,05c709320100007f21453d728d1866b0,,
127.0.0.1,STS_TOKEN_ISSUE_EVENT,40001,SUCCESS,,,
"CN=testuser,OU=DomainAdmins,OU=IS,OU=UserAccounts,DC=secure,DC=vmware,DC=com",
1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser@DOMAIN.LOCAL,
Username,vmuser,,,,,,,,,,,,,,,,,,,,
2012-09-24 17:23:41,833, 7a19d5af0100007f1df41e934778df5c,05c709320100007f21453d728d1866b0,,127.0.0.1,
AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,788d13750100007f0d8a101759ccde14O1GgM8kpOMe,
2263ca5e0100007f336bd4205d18be85,1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,
testuser,testuser,vmuser,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,,
2012-09-24 17:23:44,096,0106993b0100007f36c0ae9603868840,05c709320100007f21453d728d1866b0,,127.0.0.1,
STS_TOKEN_ISSUE_EVENT,40001,SUCCESS,,,2263ca5e0100007f336bd4205d18be85,
1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser@domain.local,
testuser,vmuser,,,,,,,,,,,,,,,,,,,,
Resolution
This is a known issue and a fix is currently being investigated by VMware Engineering for inclusion in a future release.
To work around this issue, use one of these options:
- Log in without selecting the Use Windows Session Authentication option in the vSphere Client or the vSphere Web Client.
- When vCenter Single Sign On is installed on a Windows system, Active Directory users with custom suffixes must log into the vSphere Web Client or vSphere Client using their user name with the non-customized domain name as a suffix.
Note: If you encounter similar issues after upgrading to vCenter Server 5.1.0b, see 
AD users with customized UPN user names cannot log into vCenter Server after upgrade to vSphere 5.1.b (2044150)
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.
|
|
