Slow vCenter Server 5.5 logins for domain users while email@example.com logs in fast
Chris Wahl had an interesting issue a couple of days ago on twitter.
Easy way to make the vSphere Web Client 100x faster – use the SSO Admin account. 🙁
— Chris Wahl (@ChrisWahl) 9. Juli 2014
So how would you go on with troubleshooting the issue as there are several components involved that could be the actual bottleneck. It could be an issue on the client side, in the Web Client / C# client itself, vCenter Server, the Inventory Service, SSO or the actual Active Directory infrastructure.
A good starting point before crawling into the logs is always to see if non domain users are affected as well (root on the vCenter Server Appliance, local admin on the Windows version and firstname.lastname@example.org in general). The next step is to see what happens with a wrong password, does it instantly fail or does it also take a long time.
If only domain logins are taking a long time and your structure is somehow complex you would start taking a look at the SSO logs first. Specifically at C:\ProgramData\VMware\CIS\logs\vmware-sso\vmware-sts-idmd.log.
If you see a certain spew of the following messages you should check your firewall settings and/or networking and DNS settings.
2014-07-10 11:14:47,163 WARN [WinDomainAdapter] Failed to process
trust with domain name blub.blab.com – Failed to get domain controller
information for blub.blab.com (dwError – 1355 – ERROR_NO_SUCH_DOMAIN)
In this case my customer had some firewalls blocking communication for trusted domain controllers which resulted in extremely high login times, as SSO was not able to properly authenticate the user in a timely manner. We managed to reduce the timeout from up to 2 minutes down to 15 seconds this way.
Otherwise you are kinda stuck with going from the top of the stack downwards to see where the issue lies. I will give an example in a follow up post once I get my Web Client to actually log again in the lab as what Chris was describing did not actually sound like the same issue after a couple of tweets of Q&A.