Home > Case Post Mortems, SSO > Slow vCenter Server 5.5 logins for domain users while administrator@vsphere.local logs in fast

Slow vCenter Server 5.5 logins for domain users while administrator@vsphere.local logs in fast

Chris Wahl had an interesting issue a couple of days ago on twitter.

So how would you go on with troubleshooting the issue as there are several components involved that could be the actual bottleneck. It could be an issue on the client side, in the Web Client / C# client itself, vCenter Server, the Inventory Service, SSO or the actual Active Directory infrastructure.

A good starting point before crawling into the logs is always to see if non domain users are affected as well (root on the vCenter Server Appliance, local admin on the Windows version and administrator@vsphere.local in general). The next step is to see what happens with a wrong password, does it instantly fail or does it also take a long time.

If only domain logins are taking a long time and your structure is somehow complex you would start taking a look at the SSO logs first. Specifically at C:\ProgramData\VMware\CIS\logs\vmware-sso\vmware-sts-idmd.log.

If you see a certain spew of the following messages you should check your firewall settings and/or networking and DNS settings.

2014-07-10 11:14:47,163 WARN   [WinDomainAdapter] Failed to process

trust with domain name blub.blab.com – Failed to get domain controller

information for blub.blab.com (dwError – 1355 – ERROR_NO_SUCH_DOMAIN)

In this case my customer had some firewalls blocking communication for trusted domain controllers which resulted in extremely high login times, as SSO was not able to properly authenticate the user in a timely manner. We managed to reduce the timeout from up to 2 minutes down to 15 seconds this way.

Otherwise you are kinda stuck with going from the top of the stack downwards to see where the issue lies. I will give an example in a follow up post once I get my Web Client to actually log again in the lab as what Chris was describing did not actually sound like the same issue after a couple of tweets of Q&A.

Categories: Case Post Mortems, SSO Tags: