Cannot login with domain accounts to Management Portal in VIC 1.4.3

Question

Cannot login with domain accounts to Management Portal in VIC 1.4.3

Tal8JB opened this issue 6 years ago · 5 comments

Attempting to login to the Management Portal on port 8282 with domain account from the VIC 1.4.3 OVA results in the ERR_INVALID_RESPONSE error shown in the attached screen shot in Chrome.

Logging in with @vsphere.local accounts works as expected.

Steps to reproduce
- Deploy 1.4.3 OVA
- Follow the Getting Started instructions from port 9443
- Click on link for Management Portal
- Login to vCenter SSO with Active Directory domain account

Redirect request size from PSC:

Answer 1 · 2018-10-24T15:46:55.000Z

Hello @Tal8JB,
This sounds similar to issue #186, can you check how many groups the user is member of?

Answer 2 · 2018-10-24T16:21:50.000Z

Hi @lazarin,

The user is a member of 350 groups.

Answer 3 · 2018-10-25T09:43:56.000Z

I did some tests, but the size of the token varies based on the number of groups and their names, from the certificate chain too.
With a user member of 350 nested groups, the size of the request was 59K and the login was successful still painfully slow (~2min). Attempt with 400 groups reproduces the reported behaviour as
the vSphere's PSC is 'overloaded' and timeouts.
The single workaround I see for now is working with principals with less groups.

Answer 4 · 2018-10-25T10:26:48.000Z

Yes, domain accounts that have less groups membership are working fine.
Thanks for the help @lazarin

Answer 5 · 2019-01-25T08:01:31.000Z

In VIC 1.5.1 the limits were raised, but the SSO token exchange with PSC is still slow and could take minutes.