Active Directory users with customized UPN user names cannot use Windows session credentials to log into the vSphere Client or vSphere Web Client (2036529)

Symptoms

You cannot log into the vSphere Web Client.
You cannot log into the vSphere Client.
vCenter Single Sign-On is installed on a Windows system.
The Use Windows Session Authentication option is selected during login.
Attempting to log in using the vSphere Client or vSphere Web Client fails with the pop-up message:

Provided credentials are not valid

Cause

Active Directory users might have a custom suffix in their UPN instead of using the domain name as the suffix. For example, the user name alice@company.com can be customized to be alice@sales.company.com.

Active Directory users with these custom suffixes cannot log into the vSphere Web Client using Windows session credentials when vCenter Single Sign-On is installed on a Windows system.

In vSphere 5.1, when using the Active Directory Identity Source, you may see:

For example, in the imsRuntimeAudit.log file located in C:\Program Files\VMware\Infrastructure\sso server\, you see messages similar to:

YYYY-DD-MM <time>, 1ed8d6200100007f06edfadabc610d7a,05c709320100007f21453d728d1866b0,, 127.0.0.1,STS_TOKEN_ISSUE_EVENT,40001,FAIL,AUTHN_PRINCIPAL_NOT_FOUND,,SYSTEM,SYSTEM, SYSTEM,testuser@domain,SYSTEM,SYSTEM,,,,,,,,,,,,,,,,,,,, YYYY-DD-MM <time>,23105af20100007f2e3cf0f6af381ceb,05c709320100007f21453d728d1866b0, ,127.0.0.1,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS, 1e0233bc0100007f67a934d5b646d074xE67y40+yxP,2263ca5e0100007f336bd4205d18be85, 1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser,testuser, vmuser,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,,</time></time>

Later on, you see the session returns testuser@DOMAIN.LOCAL instead of testuser@domain. This indicates that the domain name is not following UPN standards, and can cause the session to not be accepted by the vSphere client or web client.
Following the session, you notice the domain name change:

YYYY-DD-MM <time>,20e255360100007f66b9915ad8b4edaf,05c709320100007f21453d728d1866b0,, 127.0.0.1,STS_TOKEN_ISSUE_EVENT,40001,SUCCESS,,, "CN=testuser,OU=DomainAdmins,OU=IS,OU=UserAccounts,DC=secure,DC=vmware,DC=com", 1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser@DOMAIN.LOCAL, Username,vmuser,,,,,,,,,,,,,,,,,,,, YYYY-DD-MM <time>, 7a19d5af0100007f1df41e934778df5c,05c709320100007f21453d728d1866b0,,127.0.0.1, AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,788d13750100007f0d8a101759ccde14O1GgM8kpOMe, 2263ca5e0100007f336bd4205d18be85,1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000, testuser,testuser,vmuser,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,, YYYY-DD-MM <time>,0106993b0100007f36c0ae9603868840,05c709320100007f21453d728d1866b0,,127.0.0.1, STS_TOKEN_ISSUE_EVENT,40001,SUCCESS,,,2263ca5e0100007f336bd4205d18be85, 1ff067280100007f2cff84210a4226df,000000000000000000001000e0011000,testuser@domain.local, testuser,vmuser,,,,,,,,,,,,,,,,,,,,</time></time></time>

In vSphere 5.5, when using the Active Directory as an LDAP server or Active Directory (Integrated Windows Authentication) Identity Source, you may see:

In the ds.log, located at C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs, you see entries similar to:

[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: <User>, Domain: <Domain with Custom UPN>} successfully parsed from Element</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: InventoryService_2013.11.05_133314, Domain: vsphere.local} successfully parsed from Element</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl] Successfully acquired token for user: {Name: InventoryService_2013.11.05_133314, Domain: vsphere.local}</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl] Client was created successfully</time>
[YYYY-MM-DD <time> pool-11-thread-1 ERROR com.vmware.vim.dataservices.ssoauthentication.impl.DomainNameNormalizerImpl] SSO Domain does not exist: <Domain with Custom UPN></time>
[YYYY-MM-DD <time> pool-11-thread-1 ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] Invalid user</time>
com.vmware.vim.dataservices.ssoauthentication.exception.InvalidUserException: Domain does not exist: <Domain with Custom UPN>
at com.vmware.vim.dataservices.ssoauthentication.impl.DomainNameNormalizerImpl.toVcDomain(DomainNameNormalizerImpl.java:45)
at com.vmware.vim.dataservices.ssoauthentication.impl.SsoPrincipalFactoryImpl.nameFromPrincipalId(SsoPrincipalFactoryImpl.java:73)
at com.vmware.vim.dataservices.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:124)
at com.vmware.vim.dataservices.ssoauthentication.impl.SsoPrincipalFactoryImpl.createUserPrincipal(SsoPrincipalFactoryImpl.java:45)
at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySamlToken(AuthenticationHelper.java:181)
at com.vmware.vim.query.server.authentication.impl.MoSessionManager.loginBySamlToken(MoSessionManager.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:76)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
on

...

[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: <User>, Domain: <Domain with Custom UPN>} successfully parsed from Element</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Computing permissions for <Custom UPN>\<User></time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after add]: <Custom UPN>\<User</i>> is 1</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] User has no privileges.</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Removed user data for: <Custom UPN>\<User></time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after remove]: <Custom UPN>\<User> is 0</time>
[YYYY-MM-DD <time> pool-11-thread-1 ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] Authentication error: com.vmware.vim.vcauthenticate.exception.NoPrivilegesException</time>
[YYYY-MM-DD <time> pool-11-thread-1 INFO com.vmware.vim.query.server.authentication.impl.MoSessionManager] Unabled to complete login</time>
[YYYY-MM-DD <time> Thread-2 INFO com.vmware.vim.vcauthorization.impl.SessionAuthDataImpl] Session closed for principal: <Custom UPN>\<User></time>
[YYYY-MM-DD <time> Thread-2 WARN com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Unable to find user data for user: <Custom UPN>\<User></time>

In the vmware-identity-sts.log, located at C:\ProgramData\VMware\CIS\runtime\VMwareSTS\logs, you see entries similar to:

[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] 5 attributes retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, format=urn:oasis:names:tc
:SAML:2.0:attrname-format:uri, friendly name=givenName, value=[Rodney]] retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, format=urn:oasis:names:tc:S
AML:2.0:attrname-format:uri, friendly name=surname, value=[<User>]] retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://vmware.com/schemas/attr-names/2011/07/isSolution, format=urn:oasis:names:tc:SAML:2.
0:attrname-format:uri, friendly name=Subject Type, value=[false]] retrieved for {Name: <User>, Domain: <Domain with Custom UPN>}
[YYYY-MM-DD <time></time> tomcat-http--7 TRACE com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor] An attribute PrincipalAttribute [name=http://schemas.xmlsoap.org/claims/UPN, format=urn:oasis:names:tc:SAML:2.0:attrname-format:
uri, friendly name=userPrincipalName, value=[<User>@<Domain with Custom UPN>]] retrieved for {Name: <User>, Domain: <Domain with Custom </i>UPN>}

Resolution

This issue has been resolved in:

VMware vCenter Server 5.5 Update 1. For more information, see vCenter Server 5.5 Update 1 Release Notes

VMware vCenter Server 5.1 Patch 1.

To work around this issue, use one of these options:

Log in without selecting the Use Windows Session Authentication option in the vSphere Client or the vSphere Web Client.
When vCenter Single Sign On is installed on a Windows system, Active Directory users with custom suffixes must log into the vSphere Web Client or vSphere Client using their user name with the non-customized domain name as a suffix.

Note: If you encounter similar issues after upgrading to vCenter Server 5.1.0b, see AD users with customized UPN user names cannot log into vCenter Server after upgrade to vSphere 5.1.b (2044150)