[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server.

By | March 10, 2020

When logging in through the vSphere Web Client you recieve the following error message:

[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: HTTP error code: 403, status: BadResponse, sub status: Issuer not trusted:

It happens with multiple domain users as well as the local administrator@vsphere.local account independent of the used pc and/or browser, IE / Chrome / Firefox (JAVA & HTML5 client).

Environment Characteristics:

  • A (non Windows) vCenter appliance with external, loadbalance’d psc’s.
  • No linked mode.
  • No use of View, SRM or Replication

Troubleshooting methods:

  • In Administration > Single Sign on > Configuration > Identity Sources > select the option to set the Active Directory as Default
  • Review several log files: vmware-sts-idmd.log / vsphere_client_virgo.log
  • Reset vsphere.local account & machine account

Look in the “websso.log” log file if there are any LDAP error messages:

Search for bind authentication errors in the “vmdird” dir, in our case the below snippet stood out stating an error regarding the machine account:

This issue occurs when the Inventory service loses its trust due to a password mismatch in the vmdird for the account listed in the vmdird-syslog.log file. The solution here is to reset the password for this account.

Before you begin, take snapshots of your vCenter & PSC(‘s).

Reset the password for the account which was listed in the vmdird-syslog.log file

Connect to your PSC to perform the password reset through the vdcadmintool: /usr/lib/vmware-vmdir/bin/vdcadmintool

Now ssh to your vCenter appliance and perform the following steps:

Get in to “lwregshell” mode:

Once in the shell, cd your way to “vmdir”

List the content of “vmdir” and look for the “dcAccountPassword”, this is where the current password is listed (I have taken out the other properties which I think is not necessary for this example)

Now set the “New Password” for “dcAccountPassword” with the following cmd

Check to make sure the new password is there:

To sum it up:

Restart the Services:

Source: VMware KB Arcticle

But unfortunately, all of this didn’t solve the problem. The login proces was still an issue, dependent on which PSC you got loadbalanced to, the login was succesful or not.

The thing that stood out was that this problem occurred after the upgrade to 6.7, coming from version 6.5

It turns out that after you upgrade your PSC’s you should run a SSO update script because the previous configuration has been overwritten during the upgrade proces. See the following KB Article voor more information about SSL termination from 6.5 to 6.7. The script updateLsEndpoint.py may not be necessary as the upgrade does not change the certificate.

Further more, have a look at this KB Article about the upgrade proces of your PSC’s.

After we ran the script updateSSOConfig.py we were able to log in successfully to vCenter through the (before troubled) PSC, the 2nd PSC was turned off after which we did the same test with the 2nd PSC, successfully.

Many thanks to VMware for their support in this case.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.