Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

After using a service account to configure an Identity Source in vCenter Single Sign-On, users from that domain are unable to log in (2037546)

Symptoms

  • vCenter Single Sign-On (SSO) failed to automatically find the Identity Source during install, so an Identity Source was created manually via the Web Client and a non-administrator account was used to connect SSO to AD (such as a Service Account).
  • Logging into the vSphere Client or vSphere Web Client with a domain account which has been added manually as part of an Identity Source in SSO fails with an error:

    • Web Client logins fail with the error:

      Provided credentials are not valid

    • vSphere Client logins fail with the error:

      Cannot complete login due to an incorrect user name or password.

  • In the imsTrace.log file, you see a message which indicates that the login failed because the account is disabled:

    <DOMAINNAME>,,,,The principal with ID: <USERNAME> is disabled. Reason: ReasonKey[AUTHN_PRINCIPAL_DISABLED]
    [castle-exec-46], (IMSUtilImpl.java:198), trace.com.rsa.riat.utils.IMSUtil, ERROR, <DOMAINNAME>,,,,Authentication Failed. Invalid credentials. State: failed


  • You see this error in the imsTrace.log file:

    Error while trying to generate RequestSecurityTokenResponse

Resolution

When manually adding an Identity Source in vCenter Single Sign-On (SSO), many domains will require using the authentication type of Password. This requires a valid administrator account in the directory.

In situations where the use of an administrator account is not allowed for security or policy reasons, you may use a service account instead. If a service account is used, the service account must have sufficient permissions to read the properties and attributes of any user which you intend to have login capabilities in vSphere. If the service account cannot read these attributes, the logins fail. The solution is to increase the permissions on this service account so that it is able to read all user attributes.

The appropriate permissions for SSO can be provided by using one of these options:
  • A domain administrator account
  • A service account with full read-only permissions on the entire user/group sub-tree that is to have access to vSphere
  • A service account with these specific read permissions on the entire user/group sub-tree that is to have access to vSphere:

    tokenGroups
    memberOf
    cn
    name
    givenName
    sn
    initials
    comment
    distinguishedName
    samAccountName
    samAccountType
    userPrincipalName
    userAccountControl
    accountExpires
    description
    lockoutTime
    objectGUID
    objectSID
    userCertificate
For information on account permissions in Active Directory, see the Microsoft TechNet article, Active Directory Users, Computers, and Groups.

Note: The preceding link was correct as of March 14, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.


Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

This Article Replaces

2050286

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 15 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 15 Ratings
Actions
KB: