Logging into the vSphere Web Client 5.5 fails with the error: Provided credentials are not valid.

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:

Cannot log in to the vSphere Web Client or vSphere Client using a domain user account
When logging into the vSphere Web Client, you see the error:

Provided credentials are not valid.
When logging into the vSphere Client, you see the error:

Cannot complete login due to incorrect user name or password.
Specifying the User Principal Name (UPN) or down-level for the user account allows the authentication
In the vmware-sts-idmd log file (located at: C:\ProgramData\VMware\CIS\logs\vmware-sso), you see entries similar to:

2013-09-03 16:31:40,821 ERROR [IdentityManager] Failed to authenticate principal [administrator] for tenant [vsphere.local]
2013-09-03 16:31:40,927 ERROR [ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Login failed' com.vmware.identity.idm.IDMLoginException: Login failed
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2334)
at sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2013-09-03 16:31:40,927 INFO [IdentityManager] Authentication failed for user [administrator] in tenant [vsphere.local] in [433] milliseconds

Environment

VMware vCenter Server 5.5.x
VMware vSphere Web Client 5.5.x

Cause

This is an expected behavior.

Only the Identity Source that is configured as the default domain within Single Sign-On (SSO) allows users to log in without specifying the full UPN (user@domain) or the down-level logon name (domain\user). By default, the Internal OS, Local OS is configured as the default domain for SSO 5.5 and, therefore, logging in with administrator resolves to administrator@<FQDNofSSOServer>. If multiple identity sources are configured for Single Sign-On 5.5, the users logging into the vSphere Web Client must specify their domain information either using a User Principal Name (UPN) or the down-level logon name as only a single default domain can be configured.

Resolution

To resolve this issue, configure the primary Active Directory or OpenLDAP identity source as the default domain.

To configure a default domain from the SSO configuration:

Log in to the vSphere Web Client as the SSO administrator, [email protected].
Click Administration.
Expand Single Sign-On by clicking on the arrow to the left.
Click Configuration.
Click the Identity Sources tab.
Identify the appropriate Identity Source.

Note: Under the Domain column, you can see the DNS domain name.
Click on the appropriate Identity Source and then click the Set as Default Domain icon ( ) under the options menu.

Additional Information

For more information on configuring an Active Directory identity source for vCenter Server 5.5, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298). Creating and using a Service Principal Account in vCenter Single Sign-On 5.5
After upgrading to VMware vCenter Server 5.5.0b or later, users from a child domain are no longer able to log in
vSphere Web Client 5.5 へのログインに失敗し、次のエラーが表示される：指定した認証情報が無効です。
登录 vSphere Web Client 5.5 失败并显示以下错误：提供的凭据无效。