Friday, February 8, 2013

vCenter 5.1 SSO login failed

I've worked through a few SSO issues, but this one was new.  Newly provisioned Power VM type role users were failing to authenticate (login or password incorrect) on the classic vi client, and "ns0:RequestFailed: Internal Error while creating SAML 2.0 Token" on the web client.

VMware finally posted KB 2043070 on 02/08/2013, which solved this issue for my users (even though I was not seeing the same log errors mentioned by the KB article).  

To resolve this issue, remove the the localOS identity source from vCenter Server Single Sign-On (SSO).


To remove the localOS identity source from the SSO configuration:

  1. Log in to the vSphere Web Client as the SSO administrator, admin@system-domain.
  2. Click Sign-On and Discovery.
  3. Click Configuration.
  4. Identify the Local Identity Source. Its domain name should match the machine name.
  5. Right-click the Local Identity Source and click Delete Identity Source.

There is another, older KB article 2zero34798 which is the TOP google hit for this error which was a timewaster for me (talks about misconfigured AD DNS - not relevant in my case)

Hope this saves some folks and their users time and aggravation!

Also ensure your vcenter service can restart following this change.
Ours failed with an error in the c:\programdata\vmware\vmware virtualcenter\logs\vpxd log (programdata is hidden by default)
This was because the service account the vcenter service runs as was missing from the VPX_ACCESS table.
We followed  KB 1005680 and inserted the row with:

insert into vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('100', 'DOM\dom.user', '-1', '1', '1');