Hi All,

I am currently facing the following issue. I have setup a vCenter applience and have managed to join it to my AD domain and have given a user (me) the administrator permissions. However when i try to login to the webui with domain\(username) and the password it fails. But if i download the "Enhanced Authentication Plugin" on a domain PC logged in as the same domain user and tick "User windows authentication" i can access the webui with that account just fine.

Am i just forgetting to do something?

You will have to look at websso.log and ssoAdminserver.log (/var/log/vmware/sso) to understand the cause.

This is what i get when i manually try and login with (domain)\(username) and password:

[2020-03-08T16:30:12.634Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa INFO  auditlogger] {"user":"WALKERS\\connor.walker","client":"172.16.16.100","timestamp":"03/08/2020 16:30:12 UTC","description":"User WALKERS\\connor.walker@172.16.16.100 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

[2020-03-08T16:30:12.634Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException

[2020-03-08T16:30:12.635Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: 401, message

This is what i get when i login with the domain pc and select "User Windows Authentication":

020-03-08T16:58:29.562Z  tomcat-http--44  834f2c7e-ebb6-4d7b-988b-9e5f9d85d361 INFO  com.vmware.identity.SsoController] Server SPN is HTTP/photon-machine.walkers.internal

[2020-03-08T16:58:29.563Z  tomcat-http--44  834f2c7e-ebb6-4d7b-988b-9e5f9d85d361 INFO  com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null

[2020-03-08T17:00:01.007Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_GB, tenant is vsphere.local

[2020-03-08T17:00:01.008Z  tomcat-http--50  12930ac6-96e6-4628-9d70-03a10e3bb5aa INFO  com.vmware.identity.SsoController] Request URL is https://172.16.16.161/websso/SAML2/SSO/vsphere.local

[2020-03-08T17:00:01.104Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _13590b797b3db7e058247742c7b213f8

[2020-03-08T17:00:01.116Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[2020-03-08T17:00:01.132Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[2020-03-08T17:00:01.136Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.SsoController] Server SPN is HTTP/photon-machine.walkers.internal

[2020-03-08T17:00:01.137Z  tomcat-http--50  5d86c6d8-1558-4f48-b7fb-c87856853ee2 INFO  com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null

[2020-03-08T17:00:38.489Z  tomcat-http--18  b301c6f1-bb1f-49e3-bfff-db7d3bb840e2 INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_GB, tenant is vsphere.local

[2020-03-08T17:00:38.489Z  tomcat-http--18  b301c6f1-bb1f-49e3-bfff-db7d3bb840e2 INFO  com.vmware.identity.SsoController] Request URL is https://172.16.16.161/websso/SAML2/SSO/vsphere.local

[2020-03-08T17:00:38.563Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Validating SAML AuthnRequest, ID: _13590b797b3db7e058247742c7b213f8

[2020-03-08T17:00:38.574Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false

[2020-03-08T17:00:38.590Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded

[2020-03-08T17:00:38.625Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  auditlogger] {"user":"Connor.Walker@WALKERS.INTERNAL","client":"172.16.16.176","timestamp":"03/08/2020 17:00:38 UTC","description":"User Connor.Walker@WALKERS.INTERNAL@172.16.16.176 logged in with response code 200","eventSeverity":"INFO","type":"com.vmware.sso.LoginSuccess"}

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] create token spec for principal {Name: Connor.Walker, Domain: WALKERS.INTERNAL}

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] relying party url https://172.16.16.161/ui/saml/websso/metadata, identityFormat http://schemas.xmlsoap.org/claims/UPN

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] authn method KERBEROS session Session [id=_8c5b1bbdcc12c423f933523af7ba1afa, principalId={Name: Connor.Walker, Domain: WALKERS.INTERNAL}, expireDate=Mon Mar 09 01:00:38 UTC 2020, authnMethod=KERBEROS, logoutRequestData=null, extIDPSessionID=null, participants=[]]

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] inResponseTo _13590b797b3db7e058247742c7b213f8 recipient https://172.16.16.161/ui/saml/websso/sso

[2020-03-08T17:00:38.628Z  tomcat-http--18  0a69d4f0-19f8-4872-a8f0-21d479741068 INFO  com.vmware.identity.samlservice.AuthnRequestState] audience https://172.16.16.161/ui/saml/websso/metadata

Hi,

Check with the attached document "Platform ServicesController Administration" (page 29  and  34 "Set the Default Domain for vCenter Single Sign-On")

and pag 23 (Log In to vCenter Server by Using the vSphere Client) the attached document "vCenter Server and HostManagement".

https://www.virtual-odyssey.com/2019/06/30/its-the-little-stuff-enable-active-directory-authentication-in-vsphere-6-7/

https://www.virten.net/2017/01/how-to-add-ad-authentication-in-vcenter-6-5/

-----

Remember this too:

VMware vSphere & Microsoft LDAP Channel Binding & Signing

• https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
• https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

ARomeo

I followed the first 2 links which is how i managed to get it join to the domain and do the permissions however no luck loggining in. However, if i log onto my domain pc and go to the web ui and click "Use Windows Authentication" it works but when i type the same details manually it doesn't work. Thats whats confusing me, becuase i know the domain and authentication is working as i have managed to login through automatically filling the info using windows authentication but when i manually enter a username and password it doesn't work.

you can post some pictures please.

When i click Use Windows Session Authentication it auto fills the username and logs me in:

This is what it says when i input the username and password manually:

Hi,

you have to write it in this format: walkers@connor.walker

and don't select "User Windows session...."

ARomeo

Tried this and it just says "Invalid credentials"

Hi,

reset your browser cache and try logging in with the domain "administrator" user.

Administrator@connor.walker

Same message.