Unable to login vCenter web client with Active directory account.

Following error may be seen when login in vCenter web client.

Error when processing the success websso auth message com.vmware.vim.sso.client.exception.MalformedTokenException: Cannot parse group information.

 

Following lines may be seen vsphere_client_virgo.log (location /var/log/vmware/vsphere-ui/logs) To know about vCenter logs, refer KB

[INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.identity.websso.client.SsoValidationState NameID: a502738639@UHC1.LOCAL
[INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.identity.websso.client.SsoValidationState NameIDFormat: http://schemas.xmlsoap.org/claims/UPN[2019-03-01T19:02:25.668Z] [INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.identity.websso.client.SamlUtils Validate sessionNotOnOrAfter with clock tolerance = 600
[INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.vise.vim.security.sso.impl.SsoCmLocatorImpl Retrieved locations of services from CM at https://vCenter.ADdomain.local/cm/sdk?hostid=ef37a469-05e6-419f-bd69-3afcd05c2016 in 11 milliseconds:adminA.vim.binding.sso.version.version3_5

[ERROR] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.vsphere.client.security.websso.LogonProcessorImpl Error when processing the success we bsso authn message com.vmware.vim.sso.client.exception.MalformedTokenException: Cannot parse group information
at java.lang.Thread.run(Thread.java:748)Caused by: com.vmware.identity.token.impl.exception.ParserException: Invalid principal value: 'vsphere.local\ADdomain\vCenterRole' (incorrect number of fields)
at com.vmware.identity.token.impl.PrincipalIdParser.splitInTwo(PrincipalIdParser.java:76)
at com.vmware.identity.token.impl.PrincipalIdParser.parseGroupId(PrincipalIdParser.java:51)
at com.vmware.identity.token.impl.SamlTokenImpl.parseGroup(SamlTokenImpl.java:1211)
at com.vmware.identity.token.impl.SamlTokenImpl.parseAttributeStatement(SamlTokenImpl.java:1165)

 

This problem comes because of Active Directory group added in vCenter for delegation control. To resolve this problem remove the AD group in vCenter roles then add again.

Advertisements

#active-directory, #invalid-principal-value, #vcent