In this post we will take a look at what can be the cause of not being able to login to vRO, especially in the embedded vRO in a distributed vRA deployment, with [invalid username/password] error.
Update Log:
Lab Environment
The full lab logical design can be seen HERE.
Issue
Consider the following use case:
- You have a distributed vRA 7.x deployment
- You have configured an AD LDAP directory in vRA and you have synchronized users and groups in vRA.
- You may have configured Windows Integrated Authentication in the vRealize Automation / Identity Manager.
When you try to authenticate to the embedded vRO you receive error similar to the following:
invalid username/password
You can see error in the [/var/log/vmware/vco/app-server/server/log] log similar to
2016-12-08 09:27:32.558+0000 [http-nio-127.0.0.1-8280-exec-15] INFO {} [UsersController] Unsuccessful login attempt by user ‘administrator@sddc.lab’. Access point type ‘client’
2016-12-08 09:27:32.558+0000 [http-nio-127.0.0.1-8280-exec-15] ERROR {} [BaseController] Error invoking REST [unknown]
ch.dunes.util.DunesServerException: javax.security.auth.login.LoginException: SSO server error
at com.vmware.o11n.web.user.UsersController.createSession(UsersController.java:154)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
or (when using Integrated Authentication with vRA 7.0 or earlier)
2016-07-08 12:14:30.884+0000 [http-nio-8283-exec-7] ERROR [ConfigureAuthProvider] [6ebebde6-1656-4e10-ad5e-1fcc025df117] Wrong credentials.
org.springframework.security.authentication.BadCredentialsException: {
"error": "invalid_grant",
"error_description": "Invalid username or password"
}
Caused by: org.springframework.web.client.HttpClientErrorException: 400 Bad Request
You can see error in the [var/log/vmware/vco/configurator/ controlcenter.log] similar to
2016-12-08 15:31:14.498+0000 [http-nio-127.0.0.1-8282-exec-5] INFO [ConfigureAuthProvider] [736cc36a-39e2-48cd-9dcf-2ef025bf5bbc] Test login: username = admin@vmware.com, pa
ssword = ***, authentication = Authentication: state = APPROVED, url = vra7.vmware.com/component-registry, certificateAlias = vco.cafe.component-registry.ssl.certi
ficate, username = administrator, password = , importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=imported:140738ca-0918-4735-81b5-d49f
b79989e6, [39 E6 00 F5 11 1F 0E C7 70 D0 4F 7D E2 65 CC 24 F5 79 C3 85], TrustedEntity [id=imported:1083a6e4-6ecd-4ff7-9013-3996b40f0ea2, [2D E2 9B 70 3E 2D 1A BC BB 06 96
AB 28 B0 8C 7D C7 4A 81 7F]], service provider host = APPROVED Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@56bb58e, stsUrlE
ndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@22828591, adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@b24aa86, ssoSslAlias = v
co.sso.ssl.certificate, authenticationTokenType = oauth, clientId = vco-J37MBazusg, clientSecret = **, adminGroup = Domain Admins, adminGroupDomain = sddc.lab, defaultTe
nant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 Cafe Authentication: servicePort = 8281, cafeVsoWaitSeconds = 30, c
afeVcoRetries = 120, isEmbedded = false, registrationId = 78a81d62-2901-4bcf-aa61-fa668ee2317b, serviceHost = null
2016-12-08 15:31:14.774+0000 [http-nio-127.0.0.1-8282-exec-5] ERROR [ConfigureAuthProvider] [736cc36a-39e2-48cd-9dcf-2ef025bf5bbc] Wrong credentials.
org.springframework.security.authentication.BadCredentialsException: {
"error": "invalid_grant",
"error_description": "Invalid username or password"
Cause
This may be caused by multiple reasons. Here are few of the most common:
- Misconfigured Identity Provider settings in vRA.
- Inconsistent vRO Cluster Nodes configuration.
- Integrated Windows Authentication big in vRA 7.0
Solution
Here are few things that may help you resolve such login issues.
Issue may occur if in the Identity Provider configuration, the IDP Hostname is pointing to one of the vRA VA VM’s addresses and not the vRA VM Load Balancer (LB) address.
Change the ldp Hostname to the point to the vRA VA LB address.
Additionally you may add all vRA VA Nodes as Connectors in the Identity Provider.
Additionally make sure you can successfully sync users and groups from AD within the Directories tab in VRA.
Make sure that the Admin Group in the vRO Authentication Provider settings is set to the AD admin group you want to grant access to vRO.
Make sure all vRO Nodes are synchronized.
If you are using vRealize Automation/ Identity Manager with integrated Windows Authentication (IWA) make sure to vRA is version 7.1 or higher.
When Integrated Windows Authentication (IWA) AD configuration is done for AD with multiple domains (child/trusted domains) you may receive errors similar to the once above.
This issue occurs because vRealize Automation/ Identity Manager cannot perform authentication against Integrated Windows Authentication (IWA) active directory secondary/trusted domain users.
This issue is resolved in vRealize Automation 7.1
For more info visit, Unable to log in to vRO using an Active Directory user credentials (2147290)
Final Step
If all went well, go grab a beer.
include TEMPLATEPATH."/../../../itBlogDisclaimer.php"; ?>