Unable to login vCenter web client with Active directory account.

Following error may be seen when login in vCenter web client.

Error when processing the success websso auth message com.vmware.vim.sso.client.exception.MalformedTokenException: Cannot parse group information.


Following lines may be seen vsphere_client_virgo.log (location /var/log/vmware/vsphere-ui/logs) To know about vCenter logs, refer KB

[INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.identity.websso.client.SsoValidationState NameID: a502738639@UHC1.LOCAL
[INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.identity.websso.client.SsoValidationState NameIDFormat: http://schemas.xmlsoap.org/claims/UPN[2019-03-01T19:02:25.668Z] [INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.identity.websso.client.SamlUtils Validate sessionNotOnOrAfter with clock tolerance = 600
[INFO ] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.vise.vim.security.sso.impl.SsoCmLocatorImpl Retrieved locations of services from CM at https://vCenter.ADdomain.local/cm/sdk?hostid=ef37a469-05e6-419f-bd69-3afcd05c2016 in 11 milliseconds:adminA.vim.binding.sso.version.version3_5

[ERROR] http-bio-9090-exec-71 70004351 100196 ###### com.vmware.vsphere.client.security.websso.LogonProcessorImpl Error when processing the success we bsso authn message com.vmware.vim.sso.client.exception.MalformedTokenException: Cannot parse group information
at java.lang.Thread.run(Thread.java:748)Caused by: com.vmware.identity.token.impl.exception.ParserException: Invalid principal value: 'vsphere.local\ADdomain\vCenterRole' (incorrect number of fields)
at com.vmware.identity.token.impl.PrincipalIdParser.splitInTwo(PrincipalIdParser.java:76)
at com.vmware.identity.token.impl.PrincipalIdParser.parseGroupId(PrincipalIdParser.java:51)
at com.vmware.identity.token.impl.SamlTokenImpl.parseGroup(SamlTokenImpl.java:1211)
at com.vmware.identity.token.impl.SamlTokenImpl.parseAttributeStatement(SamlTokenImpl.java:1165)


This problem comes because of Active Directory group added in vCenter for delegation control. To resolve this problem remove the AD group in vCenter roles then add again.

#active-directory, #invalid-principal-value, #vcent

How to join VMware ESX / VCenter to Active Directory domain and manage using domain account.

Most of organization uses AD infrastructure for authentication and administrator the resources of organization. ESX servers and VSphere can also be joined to AD domain and administrator using domain account.

Here are the steps to do the same.

Confirm the appropriate DNS address & domain name is configured for ESX.  Login to ESX using VSphere client, select Configuration tab, select ‘DNS and routing’. If correct DNS IP is not configured then click on ‘Properties’ and save valid details.


Click on Authentication Services, select Properties to edit current settings, select directory service type as Active Directory. Type domain name then join to domain by giving domain admin credential.


Once ESX joined in the domain, you should be able to see computer account listed in ADUC (Active directory user’s & computer)


Now create a group called ‘VMWare Admin’ & a user ‘VAdmin’, this user will be the member of ‘VMware admin’ group.


In your VSphere client, select Permission tab, right click on empty space select ‘Add Permission’.


Click on ADD, from drop down menu select the domain, you should be able to see AD objects, select VMware admin group.


Select the role you wish to give to map with AD group ‘VMware admin’.


Once it added successfully, you should be able to login in ESX Vsphere client using domain credential. You can check box ‘use windows session credential’ if you wants to login using current windows login.


If you are managing ESX using VMWare VCenter then open VCenter page, go to ‘Administration’ page, select ‘Configuration’, In ‘Identity source’ option select ‘Active Directory (integrated windows authentication)’, Type appropriate domain name and click on OK.


Click on ‘Global Permission’ Tab, click on ‘+’ option then Add AD group ‘VMware admin’.


Select the role you wish to map with to ‘VMware admin’ AD group.


Now you should be able to login to VCenter using windows & AD authentication.


#active-directory, #vmware, #windows