Re: Client is not authenticated to VMware Inventory Service - http://localhost:10080/invsvc

Running into the same issue here; AD accounts don't authenticate to the inventory service.

Note: Error relating to "NT AUTHORITY" is what I'm seeing in my case. May be different for other environments.

Error is logged in inv-svc.log:

2015-09-18T21:11:52.576+02:00 [pool-16-thread-4  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element

2015-09-18T21:11:52.612+02:00 [pool-16-thread-4  ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] Invalid user

com.vmware.vim.query.server.ssoauthentication.exception.InvalidUserException: Domain does not exist: NT AUTHORITY

    at com.vmware.vim.query.server.ssoauthentication.impl.DomainNameNormalizerImpl.toSsoDomain(DomainNameNormalizerImpl.java:55)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:77)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:138)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:48)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:196)

    at com.vmware.vim.query.server.authentication.impl.MoSessionManager.internalLoginBySamlToken(MoSessionManager.java:174)

    at com.vmware.vim.query.server.authentication.impl.MoSessionManager.loginBySamlToken(MoSessionManager.java:154)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:606)

    at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:66)

    at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:48)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at java.lang.Thread.run(Thread.java:745)

2015-09-18T21:11:52.793+02:00 [pool-16-thread-4  INFO  com.vmware.vim.query.server.authentication.impl.MoSessionManager  opId=290b1891-f8ce-49fd-86ff-f0f3d8a1f9a9] Failed to login user with subject: {Name: user, Domain: example.com}

2015-09-18T21:12:09.399+02:00 [tomcat-exec-268  INFO  com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl  opId=] Client was created successfully

2015-09-18T21:12:09.715+02:00 [tomcat-exec-268  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML

2015-09-18T21:12:09.728+02:00 [tomcat-exec-268  INFO  com.vmware.identity.token.impl.SamlTokenImpl  opId=] SAML token for SubjectNameId [value=user@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML

2015-09-18T21:12:09.766+02:00 [tomcat-exec-268  ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper  opId=] Invalid user

com.vmware.vim.query.server.ssoauthentication.exception.InvalidUserException: Domain does not exist: NT AUTHORITY

    at com.vmware.vim.query.server.ssoauthentication.impl.DomainNameNormalizerImpl.toSsoDomain(DomainNameNormalizerImpl.java:55)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:77)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:138)

    at com.vmware.vim.query.server.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:48)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:196)

    at com.vmware.cis.services.common.vapi.sessions.impl.VlsiBackedSessionManager.loginInt(VlsiBackedSessionManager.java:155)

    at com.vmware.cis.services.common.vapi.sessions.impl.VlsiBackedSessionManager.login(VlsiBackedSessionManager.java:77)

    at com.vmware.vim.query.server.authz.SessionManagerImpl.login(SessionManagerImpl.java:24)

    at com.vmware.cis.authz.sessions.SessionManagerApiInterface$LoginApiMethod.doInvoke(SessionManagerApiInterface.java:40)

    at com.vmware.vapi.internal.bindings.ApiMethodSkeleton.invoke(ApiMethodSkeleton.java:169)

    at com.vmware.vapi.provider.ApiMethodBasedApiInterface.invoke(ApiMethodBasedApiInterface.java:82)

    at com.vmware.vapi.provider.local.LocalProvider.invokeMethodInt(LocalProvider.java:471)

    at com.vmware.vapi.provider.local.LocalProvider.invoke(LocalProvider.java:290)

    at com.vmware.vapi.provider.introspection.ErrorAugmentingFilter.invoke(ErrorAugmentingFilter.java:74)

    at com.vmware.vapi.security.AuthenticationFilter$1.setResult(AuthenticationFilter.java:180)

    at com.vmware.vapi.security.AuthenticationFilter$1.setResult(AuthenticationFilter.java:166)

    at com.vmware.vapi.cis.authn.SamlTokenAuthnHandler.authenticate(SamlTokenAuthnHandler.java:60)

    at com.vmware.vapi.security.AuthenticationFilter.invoke(AuthenticationFilter.java:165)

    at com.vmware.vapi.provider.aggregator.ProviderAggregation.invokeMethodImpl(ProviderAggregation.java:244)

    at com.vmware.vapi.provider.aggregator.ProviderAggregation.invoke(ProviderAggregation.java:269)

    at com.vmware.vapi.internal.provider.introspection.IntrospectionFilter.invoke(IntrospectionFilter.java:70)

    at com.vmware.vapi.provider.aggregator.ApiAggregator.invoke(ApiAggregator.java:101)

    at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.processApiRequest(JsonServerConnection.java:281)

    at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.requestReceived(JsonServerConnection.java:206)

    at com.vmware.vapi.protocol.server.rpc.http.impl.HttpStreamingServlet.doPostImpl(HttpStreamingServlet.java:124)

    at com.vmware.vapi.protocol.server.rpc.http.impl.HttpStreamingServlet.doPost(HttpStreamingServlet.java:92)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

    at com.vmware.vim.vmomi.server.http.impl.VlsiSslValve.invoke(VlsiSslValve.java:49)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)

    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

    at java.lang.Thread.run(Thread.java:745)

"NT AUTHORITY" here is coming from the user token. Token details are logged in vmware-identity-sts.log:

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local

f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=userPrincipalName, value=[user@example.com]] retrieved for {Name: user, Domain: example.com}

 

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local

f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://rsa.com/schemas/attr-names/2009/01/GroupIdentity, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Groups, value=[example.com\Domain Users, NT AUTHORITY\LogonSessionId_0_1204365, [... additional groups ...], vsphere.local\Administrators, vsphere.local\Everyone]] retrieved for {Name: user, Domain: example.com}

 

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local

f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: user, Domain: example.com}

 

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local

f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=surname, value=null] retrieved for {Name: user, Domain: example.com}

 

[2015-09-18T20:22:51.253+02:00 tomcat-http--46 vsphere.local

f09bbe6f-2ff5-4a2c-b77e-ce8b2de4620a TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri, friendly name=givenName, value=null] retrieved for {Name: user, Domain: example.com}

 

 

Domain controller (2008 R2) in my case adds "NT AUTHORITY\LogonSessionId_0_#######" (number varies) to the user's groups. Inventory service can't resolve the domain and fails the logon attempt.

I suppose the unresolvable group should be ignored by the service, instead of causing a logon failure. Possible workaround could be to exclude the unresolvable groups from the issued token, but I don't know if/how that can be changed.