Unable to login to vRO with error Invalid Username or Password (SKKB1037)

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Digg thisPin on PinterestShare on TumblrPrint this pageEmail this to someone

In this post we will take a look at what can be the cause of not being able to login to vRO, especially in the embedded vRO in a distributed vRA deployment,  with [invalid username/password] error.

Update Log:

Lab Environment

The full lab logical design can be seen HERE.

Issue

Consider the following use case:

  • You have a distributed vRA 7.x deployment
  • You have configured an AD LDAP directory in vRA and you have synchronized users and groups in vRA.
  • You may have configured Windows Integrated Authentication in the vRealize Automation / Identity Manager.

When you try to authenticate to the embedded vRO you receive error similar to the following:

invalid username/password

You can see error in the [/var/log/vmware/vco/app-server/server/log] log similar to

2016-12-08 09:27:32.558+0000 [http-nio-127.0.0.1-8280-exec-15] INFO  {} [UsersController] Unsuccessful login attempt by user ‘administrator@sddc.lab’. Access point type ‘client’
2016-12-08 09:27:32.558+0000 [http-nio-127.0.0.1-8280-exec-15] ERROR {} [BaseController] Error invoking REST [unknown]
ch.dunes.util.DunesServerException: javax.security.auth.login.LoginException: SSO server error
at com.vmware.o11n.web.user.UsersController.createSession(UsersController.java:154)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

 

or (when using Integrated Authentication with vRA 7.0 or earlier)

2016-07-08 12:14:30.884+0000 [http-nio-8283-exec-7] ERROR [ConfigureAuthProvider] [6ebebde6-1656-4e10-ad5e-1fcc025df117] Wrong credentials.
org.springframework.security.authentication.BadCredentialsException: {
  "error": "invalid_grant",
  "error_description": "Invalid username or password"
}
Caused by: org.springframework.web.client.HttpClientErrorException: 400 Bad Request

You can see error in the [var/log/vmware/vco/configurator/ controlcenter.log] similar to

2016-12-08 15:31:14.498+0000 [http-nio-127.0.0.1-8282-exec-5] INFO [ConfigureAuthProvider] [736cc36a-39e2-48cd-9dcf-2ef025bf5bbc] Test login: username = admin@vmware.com, pa
ssword = ***, authentication = Authentication: state = APPROVED, url = vra7.vmware.com/component-registry, certificateAlias = vco.cafe.component-registry.ssl.certi
ficate, username = administrator, password = , importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=imported:140738ca-0918-4735-81b5-d49f
b79989e6, [39 E6 00 F5 11 1F 0E C7 70 D0 4F 7D E2 65 CC 24 F5 79 C3 85], TrustedEntity [id=imported:1083a6e4-6ecd-4ff7-9013-3996b40f0ea2, [2D E2 9B 70 3E 2D 1A BC BB 06 96
AB 28 B0 8C 7D C7 4A 81 7F]], service provider host = APPROVED Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@56bb58e, stsUrlE
ndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@22828591, adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@b24aa86, ssoSslAlias = v
co.sso.ssl.certificate, authenticationTokenType = oauth, clientId = vco-J37MBazusg, clientSecret = **, adminGroup = Domain Admins, adminGroupDomain = sddc.lab, defaultTe
nant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 Cafe Authentication: servicePort = 8281, cafeVsoWaitSeconds = 30, c
afeVcoRetries = 120, isEmbedded = false, registrationId = 78a81d62-2901-4bcf-aa61-fa668ee2317b, serviceHost = null
2016-12-08 15:31:14.774+0000 [http-nio-127.0.0.1-8282-exec-5] ERROR [ConfigureAuthProvider] [736cc36a-39e2-48cd-9dcf-2ef025bf5bbc] Wrong credentials.
org.springframework.security.authentication.BadCredentialsException: {
"error": "invalid_grant",
"error_description": "Invalid username or password"

 

 

Cause

This may be caused by multiple reasons. Here are few of the most common:

  • Misconfigured Identity Provider settings in vRA.
  • Inconsistent vRO Cluster Nodes configuration.
  • Integrated Windows Authentication big in vRA 7.0

 

Solution

Here are few things that may help you resolve such login issues.
Issue may occur if in the Identity Provider configuration, the IDP Hostname is pointing to one of the vRA VA VM’s addresses and not the vRA VM Load Balancer (LB) address.

Change the ldp Hostname to the point to the vRA VA LB address.

Additionally you may add all vRA VA Nodes as Connectors in the Identity Provider.

Additionally make sure you can successfully sync users and groups from AD within the Directories tab in VRA.

Make sure that the Admin Group in the vRO Authentication Provider settings is set to the AD admin group you want to grant access to vRO.

Make sure all vRO Nodes are synchronized.

If you are using vRealize Automation/ Identity Manager with integrated Windows Authentication (IWA) make sure to vRA is version 7.1 or higher.  

When Integrated Windows Authentication (IWA) AD configuration is done for AD with multiple domains (child/trusted domains) you may receive errors similar to the once above.
This issue occurs because vRealize Automation/ Identity Manager cannot perform authentication against Integrated Windows Authentication (IWA) active directory secondary/trusted domain users.  
This issue is resolved in vRealize Automation 7.1
For more info visit, Unable to log in to vRO using an Active Directory user credentials (2147290)

 

Final Step

If all went well, go grab a beer.

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Digg thisPin on PinterestShare on TumblrPrint this pageEmail this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *