Logging in to vSphere Web Client fails when using the Use Windows session authentication option
search cancel

Logging in to vSphere Web Client fails when using the Use Windows session authentication option

book

Article ID: 305677

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Log in attempts fail when using the Use Windows session authentication option with the vSphere Web Client.
  • Log in attempts fails when manually entering user credentials in the vSphere Web Client.
  • The Web Client returns an error similar to:
The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.
  • In the imsTrace.log(located at C:\Program Files\VMware\Infrastructure\SSOServer\logs\) contains entries similar to:
2013-05-21 13:51:29,123, [castle-exec-14], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, hostname.tld.com,,,,Error while
trying to generate RequestSecurityTokenResponse
java.lang.RuntimeException: java.net.ConnectException: Connection refused: connect
at com.rsa.riat.ws.security.trust.authn.impl.SSPISvcPlugin.authenticate(SSPISvcPlugin.java:215
  • In the imsTrace.log (located at C:\Program Files\VMware\Infrastructure\SSOServer\utils\logs ) contains entries similar to:
2013-04-30 13:38:05,952, [main], ( Utils.java:1235), trace.com.rsa.riat.tools.ConfigureRIATCmd, DEBUG, hostname.tld.com,,,,Installing SSPI service
2013-04-30 13:38:06,186, [main], (OrderedLoggingAction.java:53), trace.com.rsa.riat.tools.ConfigureRIATCmd, INFO, hostname.tld.com,,,,ERROR: Installing SSPI Windows service: 1




Environment

VMware vCenter Server 5.1.x

Cause

This issue occur when the RSA Security Support Provider Interface (SSPI) service is not running or not installed due to permissions issues.

Resolution

To resolve this issue, ensure you have the RSA SSPI service installed and running. When the RSA SSPI Service is installed and running, the Use Windows session credentials work correctly.
  • To verify that the RSA SSPI Service is installed and running:
    1. On the Single Sign-On (SSO) server, click Start > Run.
    2. Type services.msc.
    3. Click OK.
    4. Start the service if it is not already started.
  • If the RSA SSPI service fails to start:
  1. You see the error:

    Access is denied
  2. Set the permissions on the SSO Server to ensure the Network Service, which is used to start the RSA SSPI Service, has read and execute permissions on the folder containing sspiservice.exe (located at C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64\sspiservice.exe).
  • If the RSA SSPI service is not installed:
    1. Set the permissions on the SSO Server so that the Network Service, which is used to start the RSA SSPI Service, has read and execute permissions on the folder containing sspiservice.exe (located at C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64\sspiservice.exe).

    2. Install the RSA SSPI Service using this command:

      C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64>sspiservice.exe -i -s -b -l "C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\log4cxx.properties" -p port

      Note: Where port is taken from C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\SPNegoAuthnPlugin.properties.


Additional Information

Logging in using the vSphere Client is unaffected by this issue.


Powered by Wolken Software