Logging in to vSphere Web Client fails when using the Use Windows session authentication option
book
Article ID: 305677
calendar_today
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
Log in attempts fail when using the Use Windows session authentication option with the vSphere Web Client.
Log in attempts fails when manually entering user credentials in the vSphere Web Client.
The Web Client returns an error similar to:
The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.
In the imsTrace.log(located at C:\Program Files\VMware\Infrastructure\SSOServer\logs\) contains entries similar to:
2013-05-21 13:51:29,123, [castle-exec-14], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, hostname.tld.com,,,,Error while
This issue occur when the RSA Security Support Provider Interface (SSPI) service is not running or not installed due to permissions issues.
Resolution
To resolve this issue, ensure you have the RSA SSPI service installed and running. When the RSA SSPI Service is installed and running, the Use Windows session credentials work correctly.
To verify that the RSA SSPI Service is installed and running:
On the Single Sign-On (SSO) server, click Start > Run.
Type services.msc.
Click OK.
Start the service if it is not already started.
If the RSA SSPI service fails to start:
You see the error:
Access is denied
Set the permissions on the SSO Server to ensure the Network Service, which is used to start the RSA SSPI Service, has read and execute permissions on the folder containing sspiservice.exe (located at C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64\sspiservice.exe).
If the RSA SSPI service is not installed:
Set the permissions on the SSO Server so that the Network Service, which is used to start the RSA SSPI Service, has read and execute permissions on the folder containing sspiservice.exe (located at C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64\sspiservice.exe).
Install the RSA SSPI Service using this command:
C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64>sspiservice.exe -i -s -b -l "C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\log4cxx.properties" -p port
Note: Where port is taken from C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\SPNegoAuthnPlugin.properties.
Additional Information
Logging in using the vSphere Client is unaffected by this issue.