Search the VMware Knowledge Base (KB)
Products:
View by Article ID

Logging in to vCenter Server 5.1 using the vSphere Web Client as an AD user fails with the error: A general system error occurred: not well-formed (invalid token) (2040106)

  • 6 Ratings

Symptoms

  • Cannot log in to vCenter Server using the vSphere Client
  • Cannot log in to vCenter Server 5.1 using some of the Active Directory (AD) user accounts
  • Logging in to vCenter Server 5.1 using an AD user account fails
  • vSphere 5.1 Web Client fails to log in to vCenter Server
  • You see the error:

    Cannot parse group information

  • Some AD users are unable to log in to vCenter Server after upgrading to vSphere 5.1 and report the error:

    A general system error occurred: not well-formed (invalid token)

  • In the vpxd log file of vCenter Server 5.1, you see entries similar to:

    Note: Depending on where the slashes are placed in listing the Active Directory objects, you encounter one of these errors.

    • 2012-11-22T14:15:58.096Z [11052 info '[SSO]' opID=5ce4dde1] [UserDirectorySso] Authenticate(DOMAIN\USERNAME, "not shown")
      2012-11-22T14:15:58.361Z [11052 error '[SSO]' opID=5ce4dde1] [UserDirectorySso] AcquireToken SsoException: Failed to parse Group Identity value: `DOMAIN\USERNAME\New_Initiatives RO'; too many/not enough separators
      2012-11-22T14:15:58.361Z [11052 error 'authvpxdUser' opID=5ce4dde1] Failed to authenticate user DOMAIN\USERNAME

    • 2012-10-02T11:26:30.977-04:00 [01592 info 'commonvpxLro' opID=D12EB25B-00000004-df] [VpxLRO] -- FINISH task-internal-4109836 -- -- vim.SessionManager.login --
      2012-10-02T11:26:30.977-04:00 [01592 info 'Default' opID=D12EB25B-00000004-df] [VpxLRO] -- ERROR task-internal-4109836 -- -- vim.SessionManager.login: vmodl.fault.SystemError:
      --> Result:
      --> (vmodl.fault.SystemError) {
      --> dynamicType = unset,
      --> faultCause = (vmodl.MethodFault) null,
      --> reason = "not well-formed (invalid token)",
      --> msg = "",
      --> }
      --> Args:
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Cause

This issue occurs due to a problem in listing the Active Directory objects.
 
Single Sign On does not appear to work with any Active Directory objects that contain / or \.
 
For more information, see the Microsoft TechNet article on Object names.
 
Note: The preceding link was correct as of September 29, 2012. If you find the link is broken, provide feedback and a VMware employee will update the link

Resolution

This is a known issue affecting vCenter Server 5.1.

This issue is resolved in vCenter Server 5.1 Update 1 available at VMware Downloads. Fore more information, see VMware vCenter Server 5.1 Update 1 Release Notes.

To work around this issue:
  • Review the objects, such as User Accounts, Groups, and Organizational Units, and ensure that they do not contain a / or \.
  • Alternatively, select the Use Windows session credentials box in the vSphere Client.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: