OPERATIONAL DEFECT DATABASE
...
...
You cannot log in to the vSphere Web Client or vSphere Client. Logging in to the vSphere Web Client fails with this error:The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source. Logging in to the vSphere Client fails with this error:unknown user or bad password The imsTrace.log file (located at C:\Program Files\VMware\Infrastructure\SSOServer\logs\) contains entries similar to:10:10:06,045, [example-7], (GroupAccessLocalIS.java:313), trace.com.rsa.ims.admin.dal.localis.PrincipalAccessLocalIS, DEBUG, vcenter.domain.local,,,,Lookup failure: [GroupInfo.c:254] NetUserGetLocalGroups failed: Access denied10:10:06,045, [example-7], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, vcenter.domain.local,,,,Error while trying to generate RequestSecurityTokenResponse com.rsa.common.UnexpectedDataStoreException: Unexpected Local OS exception Caused by: com.rsa.ims.localis.LocalisAccessError: Local O/S Identity Source Error: LOCALIS_STATUS_INTERNAL, extended error: 5 : [GroupInfo.c:254] NetUserGetLocalGroups failed: Access is deniedat com.rsa.ims.localis.LocalisAccessHelper.throwAccessError(LocalisAccessHelper.java:756)at com.rsa.ims.localis.LocalisAccessHelper.getUserGroupsByName(LocalisAccessHelper.java:535)at com.rsa.ims.admin.dal.localis.GroupAccessLocalIS.getGroupsByName(GroupAccessLocalIS.java:353)at com.rsa.ims.admin.dal.localis.GroupAccessLocalIS.handleLookupError(GroupAccessLocalIS.java:325) The vpxd.log contains entries similar to this:Authenticate(harms\vmware1, "not shown") 2014-01-15T12:51:09.633-05:00 [10176 error '[SSO]' opID=8A85DD23-00000004-e1] [UserDirectorySso] AcquireToken SsoException: Unexpected SOAP fault: ns0:RequestFailed; request failed. 2014-01-15T12:51:09.633-05:00 [10176 error 'authvpxdUser' opID=8A85DD23-00000004-e1] Failed to authenticate user
This issue occurs if there is a configuration problem related to the local operating system users and groups when you are using Active Directory (AD) users in local groups.
To resolve this issue, review the configured Identity Sources for any incorrect entries. If all identity Sources are correct, remove the the localOS identity source from vCenter Server Single Sign-On (SSO).Notes:Before removing the localOS identity source from the SSO configuration, ensure that you have configured at least one domain user with administrative permissions.When you remove the local operating system, its associated user permissions are removed from vCenter Server and the configured local users can no longer log into vCenter Server. This applies even if Domain Admins has local permissions on the vCenter Server machine.To remove the localOS identity source from the SSO configuration:Log into the vSphere Web Client as the SSO administrator. Click Administration. Click Sign-On and Discovery. Click Configuration. Identify the Local Identity Source. The domain name should match the machine name. Right-click Local Identity Source and click Delete Identity Source.
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box Unable to log in to vCenter Server with the vSphere Client or vSphere Web ClientvCenter Server not listed in the inventory after installing or upgrading to vSphere 5.5 / 6.0vSphere Web Client へのログインにエラー [ns0:RequestFailed: Internal Error while creating SAML 2.0 Token] で失敗する登录 vSphere Web Client 失败并显示错误:ns0:RequestFailed: 创建 SAML 2.0 令牌时出现内部错误
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
