Search the VMware Knowledge Base (KB)
View by Article ID

Cannot log in to vCenter Server using the domain username/password credentials via the vSphere Web Client/vSphere Client after upgrading to vCenter Server 5.1 Update 1 (2050941)

  • 164 Ratings


  • After upgrading to vCenter Server 5.1 Update 1, you are unable to log in using the vSphere Web Client or domain username/password credentials via the vSphere Client.
  • The imsTrace.log file (located at VC Installation Directory\SSOServer\logs\ imsTrace.log) contains entries similar to:

    castle-exec-11], (,, ERROR,,,,,Error while trying to generate RequestSecurityTokenResponse
    com.rsa.common.UnexpectedDataStoreException: Failed group search, unexpected interrupt
    at com.rsa.ims.admin.usa.ldap.GroupAccessLDAP.getPrincipalGroupsFromFSP(
    at com.rsa.ims.admin.usa.ldap.GroupAccessLDAP.getMemberOfGroupsInBatchForAD(

  • When logging into the vSphere Web Client, you see the error:

    The authentication server returned an unexpected error:
    ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.

  • The vpxd logs contain entries similar to:

    T17:45:46.416+02:00 [05076 info '[SSO]' opID=E66B0971-00000004-e8] [UserDirectorySso] Authenticate(DOMAIN\user, "not shown")
    T17:45:47.617+02:00 [05076 error '[SSO]' opID=E66B0971-00000004-e8] [UserDirectorySso] AcquireToken SsoException: Unexpected SOAP fault: ns0:RequestFailed; request failed.
    T17:45:47.617+02:00 [05076 error 'authvpxdUser' opID=E66B0971-00000004-e8] Failed to authenticate user DOMAIN\username

    Note: vpxd logs are located in
    %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\Logs, which translates to:

    • C:\Documents and Settings\All Users\Application Data\VMware\VirtualCenter\logs in Windows 2003
    • C:\ProgramData\VMware\VMware VirtualCenter\Logs in Windows 2008

  • Logging in using the Use Windows session credentials option via the vSphere Client is successful.


This issue can occur if the specified vCenter Server login domain user account is associated with a large number of domain groups and multiple domains are configured as Single Sign-On (SSO) identity sources. The precise number of groups at which this issue can occur varies due to the nature of Active Directory internals. However, it is more likely to occur once domain-group membership for an account exceeds 19.


This issue is resolved in vCenter Server 5.1 Update 1b. You can download the latest release from the VMware Download Center. For more information, see the vCenter Server 5.1 Update 1b Release Notes.

Note: All components of vSphere 5.1 must be updated to 5.1 Update 1b for this issue to be fully resolved.

For more information on the resolution, see Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On (SSO) in a multi-domain environment fails (2037410).

Additional Information

Before attempting to upgrade to vCenter Server 5.1.0 U1b, see the readme file to learn about factors critical to a successful upgrade. 
For more information, see Upgrading to vCenter Server 5.1 in the vSphere Upgrade Guide.

See Also

Update History

04/29/2013 - Added vpxd symptoms 05/23/2013 - Added issue resolved in vCenter Server 5.1 Update 1a

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 164 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 164 Ratings