Was fighting a strange logon issue with vSphere 5.5 SSO. After configuring SSO against Active Directory and testing logins with the temporary user account handed to me by the customer, all was fine. But when I had the customer test with their own account, he couldn’t login and received the following message through the vSphere Web Client:
“The authentication server returned an unexpected error: ns0:RequestFailed: Referral. The error may be caused by a malfunctioning identity source.”
A login using the good old vSphere Client presented this error: “Cannot complete login due to an incorrect user name or password”.
After doing more troubleshooting, I learned that only user accounts which are part of a group from a different domain gave an issue. For example:
- email@example.com is member of firstname.lastname@example.org can login fine
- email@example.com is member of firstname.lastname@example.org and email@example.com cannot login.
It seems that this only happens when talking to a Windows 2008R2 domain controller, but I haven’t been able to thoroughly test that.
The solution is quite simple:
In your SSO server go to configuration -> identity sources -> edit the domain. Make sure you use “Active Directory as LDAP Server” and enter the Primary and Secondary URLs with port number 3268, like this: ldap://server01.domain.com:3268
That should do the trick and your ns0:RequestFailed error should be gone.