Unable to login to vRO with error Invalid Username or Password (SKKB1037)

In this post we will take a look at what can be the cause of not being able to login to vRO, especially in the embedded vRO in a distributed vRA deployment,  with [invalid username/password] error.

Update Log:

Lab Environment

The full lab logical design can be seen HERE.

Issue

Consider the following use case:

  • You have a distributed vRA 7.x deployment
  • You have configured an AD LDAP directory in vRA and you have synchronized users and groups in vRA.
  • You may have configured Windows Integrated Authentication in the vRealize Automation / Identity Manager.

When you try to authenticate to the embedded vRO you receive error similar to the following:

invalid username/password

You can see error in the [/var/log/vmware/vco/app-server/server/log] log similar to

2016-12-08 09:27:32.558+0000 [http-nio-127.0.0.1-8280-exec-15] INFO  {} [UsersController] Unsuccessful login attempt by user ‘administrator@sddc.lab’. Access point type ‘client’
2016-12-08 09:27:32.558+0000 [http-nio-127.0.0.1-8280-exec-15] ERROR {} [BaseController] Error invoking REST [unknown]
ch.dunes.util.DunesServerException: javax.security.auth.login.LoginException: SSO server error
at com.vmware.o11n.web.user.UsersController.createSession(UsersController.java:154)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

 

or (when using Integrated Authentication with vRA 7.0 or earlier)

2016-07-08 12:14:30.884+0000 [http-nio-8283-exec-7] ERROR [ConfigureAuthProvider] [6ebebde6-1656-4e10-ad5e-1fcc025df117] Wrong credentials.
org.springframework.security.authentication.BadCredentialsException: {
  "error": "invalid_grant",
  "error_description": "Invalid username or password"
}
Caused by: org.springframework.web.client.HttpClientErrorException: 400 Bad Request

You can see error in the [var/log/vmware/vco/configurator/ controlcenter.log] similar to

2016-12-08 15:31:14.498+0000 [http-nio-127.0.0.1-8282-exec-5] INFO [ConfigureAuthProvider] [736cc36a-39e2-48cd-9dcf-2ef025bf5bbc] Test login: username = admin@vmware.com, pa
ssword = ***, authentication = Authentication: state = APPROVED, url = vra7.vmware.com/component-registry, certificateAlias = vco.cafe.component-registry.ssl.certi
ficate, username = administrator, password = , importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=imported:140738ca-0918-4735-81b5-d49f
b79989e6, [39 E6 00 F5 11 1F 0E C7 70 D0 4F 7D E2 65 CC 24 F5 79 C3 85], TrustedEntity [id=imported:1083a6e4-6ecd-4ff7-9013-3996b40f0ea2, [2D E2 9B 70 3E 2D 1A BC BB 06 96
AB 28 B0 8C 7D C7 4A 81 7F]], service provider host = APPROVED Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@56bb58e, stsUrlE
ndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@22828591, adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@b24aa86, ssoSslAlias = v
co.sso.ssl.certificate, authenticationTokenType = oauth, clientId = vco-J37MBazusg, clientSecret = **, adminGroup = Domain Admins, adminGroupDomain = sddc.lab, defaultTe
nant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 Cafe Authentication: servicePort = 8281, cafeVsoWaitSeconds = 30, c
afeVcoRetries = 120, isEmbedded = false, registrationId = 78a81d62-2901-4bcf-aa61-fa668ee2317b, serviceHost = null
2016-12-08 15:31:14.774+0000 [http-nio-127.0.0.1-8282-exec-5] ERROR [ConfigureAuthProvider] [736cc36a-39e2-48cd-9dcf-2ef025bf5bbc] Wrong credentials.
org.springframework.security.authentication.BadCredentialsException: {
"error": "invalid_grant",
"error_description": "Invalid username or password"

 

 

Cause

This may be caused by multiple reasons. Here are few of the most common:

  • Misconfigured Identity Provider settings in vRA.
  • Inconsistent vRO Cluster Nodes configuration.
  • Integrated Windows Authentication big in vRA 7.0

 

Solution

Here are few things that may help you resolve such login issues.
Issue may occur if in the Identity Provider configuration, the IDP Hostname is pointing to one of the vRA VA VM’s addresses and not the vRA VM Load Balancer (LB) address.

Change the ldp Hostname to the point to the vRA VA LB address.

Additionally you may add all vRA VA Nodes as Connectors in the Identity Provider.

Additionally make sure you can successfully sync users and groups from AD within the Directories tab in VRA.

Make sure that the Admin Group in the vRO Authentication Provider settings is set to the AD admin group you want to grant access to vRO.

Make sure all vRO Nodes are synchronized.

If you are using vRealize Automation/ Identity Manager with integrated Windows Authentication (IWA) make sure to vRA is version 7.1 or higher.  

When Integrated Windows Authentication (IWA) AD configuration is done for AD with multiple domains (child/trusted domains) you may receive errors similar to the once above.
This issue occurs because vRealize Automation/ Identity Manager cannot perform authentication against Integrated Windows Authentication (IWA) active directory secondary/trusted domain users.  
This issue is resolved in vRealize Automation 7.1
For more info visit, Unable to log in to vRO using an Active Directory user credentials (2147290)

 

Final Step

If all went well, go grab a beer.

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *