Search the VMware Knowledge Base (KB)
View by Article ID

"invalid credentials LDAP Error 49" error when starting Inventory Services in vCenter Server 6.x (2147280)

  • 2 Ratings
Language Editions

Symptoms

  • Inventory Service fails to start
  • In the inv-svc.log file, you see entries similar to:

    2016-09-21T17:58:16.963Z [WrapperListener_start_runner INFO com.vmware.cis.lotus.LdapConnectionFactory opId=] Creating LDAP connection factory for Lotus host: ldaptestserver.com port: 636
    2016-09-21T17:58:16.970Z [WrapperListener_start_runner INFO com.vmware.cis.lotus.LdapConnectionFactory opId=] Creating new connection
    2016-09-21T17:58:16.972Z [WrapperListener_start_runner INFO com.vmware.cis.lotus.LotusLocator opId=] Successfully refreshed machine account credentials
    2016-09-21T17:58:16.985Z [WrapperListener_start_runner INFO com.vmware.identity.interop.ldap.LinuxLdapClientLibrary opId=] SSL library initialized successfully
    2016-09-21T17:58:17.163Z [WrapperListener_start_runner WARN com.vmware.identity.interop.ldap.LdapErrorChecker opId=] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 49
    2016-09-21T17:58:17.163Z [WrapperListener_start_runner ERROR com.vmware.cis.lotus.LdapUtils opId=] Failed to connect to LDAP; uri: ldaps://ldaptestserver.com:636
    2016-09-21T17:58:17.166Z [WrapperListener_start_runner WARN org.springframework.context.support.ClassPathXmlApplicationContext opId=] Exception encountered during context initialization - cancelling refresh attempt
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'vlsi-server' defined in class path resource [server/config/server-config.xml]: Cannot create inner bean 'com.vmware.vim.vmomi.server.http.impl.FilterImpl#2ad6d4be' of type [com.vmware.vim.vmomi.server.http.impl.FilterImpl] while setting bean property 'filters' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.vmware.vim.vmomi.server.http.impl.FilterImpl#2ad6d4be' defined in class path resource[server/config/server-config.xml]: Cannot resolve reference to bean 'authFilter' while setting bean property 'filter'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authFilter' defined in class path resource [server/config/server-config.xml]: Cannot resolve reference to bean 'authChecker' while setting bean property 'authChecker'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authChecker' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'userSessionManager' while setting bean property 'userSessionManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userSessionManager' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'authorizationManager' while setting bean property 'authorizationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizationManager' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'authProvider' while setting bean property 'dataProvider'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authProvider' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'memCache' while setting bean property 'parentChainCache'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'memCache' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'globalAclLotusCache' while setting bean property 'globalAclLotusCache'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'aclLotusInitializer' defined in class path resource [server/config/authorization-config.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.vmware.vim.query.server.accesscontrol.impl.LotusInitializer]: Constructor threw exception; nested exception is java.lang.RuntimeException: com.vmware.identity.interop.ldap.Invalid
    CredentialsLdapException: Invalid credentials LDAP error [code: 49] at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:287)

    Note: The inv-svc.log file is located at:
    • vCenter Server Appliance: /var/log/vmware/invsvc/
    • Windows installed vCenter Server: %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\invsvc\

  • In the vmdird-syslog.log file, you see entries similar to:

    2016-09-21T18:47:48.024511+00:00 err vmdird t@140107551946496: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
    2016-09-21T18:47:48.024533+00:00 err vmdird t@140107551946496: VmDirSendLdapResult: Request (96), Error (49), Message ((49)(SASL step failed.)), (0) socket ([17] 10.105.217.85:389<-10.105.212.102:54753)
    2016-09-21T18:47:48.024538+00:00 err vmdird t@140107551946496: Bind Request Failed ([17] 10.105.217.85:389<-10.105.212.102:54753) error 49: Protocol version: 3, Bind DN: "cn=accountname,ou=Computers,dc=vsphere,dc=local", Method: 163


    Note: The vmdird-syslog.log file is located at:
    • vCenter Server Appliance: /var/log/vmware/vmdird/vmdird-syslog.log
    • Windows installed vCenter Server: "%VMWARE_LOG_DIR%"\vmdird\vmdir.log

Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.

Cause

This issue occurs when the Inventory service loses its trust due to a password mismatch in the vmdird for the account listed in the vmdird-syslog.log file.

This can occur if the vCenter Server is restored to an earlier version from backups or an older snapshot.

Resolution

To resolve this issue, reset the password for the user account listed in the vmdird-syslog.log file.

Warning
  1. In ESXi 6.5 dir-cli is the preferred method to reset the dcaccountpassword. For more information see VCenter Server fails to start with "Remote login failed:N3Vim5Fault9HttpFault9ExceptionE(vim.fault.HttpFault)", After vCenter Server is restored from backup or snapshot (2149010).
  2. For vdadmintool correct default settings in the SSO password policies are required, VMware currently does not support to set the maximum password length above 20 characters.

vCenter Server Appliance
  1. Create a snapshot of  vCenter Server and Platform Services Controller.
  2. Connect to the Platform Services Controller with an SSH session and root credentials.
  3. Run this command to enable access the Bash shell:

    shell.set –enabled true

  4. Type shell and press Enter.
  5. Run this command to open the vdcadmintool:

    /usr/lib/vmware-vmdir/bin/vdcadmintool

    You can see these options:
    ================================
    Please select:
    0. exit
    1. Test LDAP connectivity
    2. Force start replication cycle
    3. Reset account password
    4. Set log level and mask
    5. Set vmdir state
    ================================


  6. Select option 3.
  7. Enter the user account listed in the  vmdird-syslog.log file.

    Note: This is the machine account in the format FQDN@SSO DOmain.

    For example:

    VCVA01.vmware.com@vsphere.local

    Note: Make a note of the new auto-generated password.

  8. Connect to vCenter Server Appliance with an SSH session and root credentials.
  9. Run this command to enable access the Bash shell:

    shell.set –enabled true

  10. Type shell and press Enter.
  11. Run these commands to update the password:

    /opt/likewise/bin/lwregshell
    cd HKEY_THIS_MACHINE\services\vmdir\
    set_value dcAccountPassword "new password"
    quit


  12. Restart the vCenter Server Appliance services. For more information, see Stopping, starting, or restarting VMware vCenter Server Appliance 6.x services (2109887).
Windows installed vCenter Server
  1. Create a snapshot of the vCenter Server and Platform Services Controller.
  2. Open a elevated command prompt on the Platform Service Controller.
  3. Run this command:

    %VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe

    You see these options:

    ================================
    Please select:
    0. exit
    1. Test LDAP connectivity
    2. Force start replication cycle
    3. Reset account password
    4. Set log level and mask
    5. Set vmdir state
    ================================


  4. Select option 3.
  5. Enter the user account listed in the vmdir.log file.

    Note: This is the machine account in the format FQDN@SSO DOmain.

    For example:

    VCVA01.vmware.com@vsphere.local
  6. Connect to the vCenter Server and open regedit.

    Note: Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft article 136393.

  7. Navigate to HLKM\System\CurrentControlset\Services\VMwareDirectoryService\ location.

  8. Update the password for the key dcAccountPassword.
  9. Save the changes and exit.
  10. Restart the vCenter Server services. For more information, see Stopping, starting, or restarting VMware vCenter Server 6.x services (2109881).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 2 Ratings
Actions
KB: