Logging in to the vSphere Web Client failing

Some customers are still running into issues when logging into the vSphere Client and we want to re-publicize the fix for this. If you see either of the following two messages:

or:

This is caused by a configuration issue related to the groups on the local Operating System having Active Directory users in them.  There is an easy fix to the issue, removing the localOS identity source from vCenter Server Single-Sign-On(SSO). All of the steps are detailed in KB article: Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token (2043070) but you can think of this as an addendum.

Before you go ahead and remove the local identity source, one should be aware that any local users will no longer have login access once the local identity source is removed.  Also, a domain account should be configured with SSO administrative privileges before removing the identity source.

To remove the identity source, log in to the Web Client using the SSO administrator,(admin@system-domain, go to Administration, then Configuration under Sign-On and Discovery and then remove the Local Identity Source (local machine name) as shown.

A couple of common questions:

Q – What if I can’t log in with SSO Administrator credentials?
A – See Unlocking and resetting the vCenter Single Sign On (SSO) administrator password (2034608)

Q – How do I add an SSO administrator?
A – Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.

In the home page, click Administration > Access > SSO Users and Groups.

Click on the plus sign and add account from identity source.