I'm experiencing issues executing a workflow in Orchestrator due to Single Sign On issues. When I try to run the workflow from Orchestrator client I get "SSO server error". When I try to run it via the vSphere web client I get "401 A delegate token is required. Use VCOAuthorization header to pass delegate token for vCO".
I've found numerous posts about this issue, initially I had issues getting Orchestrator working from the web client until I removed the local OS from Default Domains.
When I look in imsTrace on the SSO server I can see the following errors:
2014-07-02 20:53:48,750, [castle-exec-56], (IMSUtilImpl.java:451), trace.com.rsa.riat.utils.IMSUtil, DEBUG, vcenter,,,,Group membership count for user: 11
2014-07-02 20:53:48,751, [castle-exec-56], (IMSUtilImpl.java:115), trace.com.rsa.riat.utils.IMSUtil, DEBUG, vcenter,,,,Fetching nameInfo
2014-07-02 20:53:48,751, [castle-exec-56], (BaseSTSImpl.java:207), trace.com.rsa.riat.ws.security.trust.impl.BaseSTSImpl, DEBUG, vcenter,,,,Authentication is complete
2014-07-02 20:53:48,752, [castle-exec-56], (BaseSTSImpl.java:208), trace.com.rsa.riat.ws.security.trust.impl.BaseSTSImpl, DEBUG, vcenter,,,,Calling post authentication prcoessing
2014-07-02 20:53:48,752, [castle-exec-56], (BaseSTSImpl.java:270), trace.com.rsa.riat.ws.security.trust.impl.BaseSTSImpl, DEBUG, vcenter,,,,Creating token context
2014-07-02 20:53:48,752, [castle-exec-56], (WSTrustContractFactory.java:52), trace.com.rsa.riat.ws.security.trust.impl.WSTrustContractFactory, DEBUG, vcenter,,,,Looking up token generator for tokentype:urn:oasis:names:tc:SAML:2.0:assertion
2014-07-02 20:53:48,752, [castle-exec-56], (WSTrustContractFactory.java:56), trace.com.rsa.riat.ws.security.trust.impl.WSTrustContractFactory, DEBUG, vcenter,,,,Token generator for tokentype urn:oasis:names:tc:SAML:2.0:assertion = com.rsa.riat.ws.security.saml2.SAML20TokenContractImpl
2014-07-02 20:53:48,753, [castle-exec-56], (BaseSTSImpl.java:279), trace.com.rsa.riat.ws.security.trust.impl.BaseSTSImpl, DEBUG, vcenter,,,,TokenGenerator: class com.rsa.riat.ws.security.saml2.SAML20TokenContractImpl
2014-07-02 20:53:48,753, [castle-exec-56], (BaseSTSImpl.java:282), trace.com.rsa.riat.ws.security.trust.impl.BaseSTSImpl, DEBUG, vcenter,,,,invoking token generator
2014-07-02 20:53:48,753, [castle-exec-56], (IMSUtilImpl.java:354), trace.com.rsa.riat.utils.IMSUtil, DEBUG, vcenter,,,,Looking up user: vCO-146e...
2014-07-02 20:53:48,757, [castle-exec-56], (DirContextImpl.java:1551), trace.com.rsa.ims.connectionpool.jca.common.DirContextImpl, DEBUG, vcenter,,,,search( {OU=OU,DC=ad,DC=gsoa,DC=ddau}, {(&(&(objectClass=User)(objectcategory=person))(objectClass=user)(samaccountname=vCO-146efc...))}, {SearchControls( SUBTREE_SCOPE, 0, 120000, [ObjectGUID, comment, description, givenname, initials, mail, msds-user-account-control-computed, samaccountname, sn, unicodepwd, userAccountControl], false, false )} )
2014-07-02 20:53:48,760, [castle-exec-56], (PrincipalAccessSQL.java:1683), trace.com.rsa.ims.admin.dal.sql.PrincipalAccessSQL, DEBUG, vcenter,,,,SELECT IMS_PRINCIPAL.ID,IMS_PRINCIPAL.CERT_DN,IMS_PRINCIPAL.EMAIL,IMS_PRINCIPAL.FIRST_NAME,IMS_PRINCIPAL.MIDDLE_NAME,IMS_PRINCIPAL.LAST_NAME,IMS_PRINCIPAL.LOGINUID,IMS_PRINCIPAL.PASSWORD,IMS_PRINCIPAL.PRINCIPAL_IS_DESCRIPTION, IMS_PRINCIPAL_DATA.ID,IMS_PRINCIPAL_DATA.ROW_VERSION,IMS_PRINCIPAL_DATA.LAST_UPDATED_BY,IMS_PRINCIPAL_DATA.LAST_UPDATED_ON,IMS_PRINCIPAL_DATA.IDENTITY_SRC_ID,IMS_PRINCIPAL_DATA.IDENTITY_SRC_KEY,IMS_PRINCIPAL_DATA.OWNER_ID,IMS_PRINCIPAL_DATA.START_DATE,IMS_PRINCIPAL_DATA.EXPIRATION_DATE,IMS_PRINCIPAL_DATA.REGISTRATION_FLAG,IMS_PRINCIPAL_DATA.LOGINUID,IMS_PRINCIPAL_DATA.LOGIN_DATE,IMS_PRINCIPAL_DATA.ENABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATOR_FLAG,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_COUNT,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_DATE,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_COUNT,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_DATE,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_FLAG,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_DATE,IMS_PRINCIPAL_DATA.LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.EMERGENCY_LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_EMERGENCY_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.NOTES,IMS_PRINCIPAL_DATA.AUTHENTICATOR_BIT_FLAGS,IMS_PRINCIPAL_DATA.ADMINISTRATOR_FLAG,IMS_PRINCIPAL_DATA.EXUID,IMS_PRINCIPAL_DATA.SECURITY_QUES_ANSWERS,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_AUTHN,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_REG,IMS_PRINCIPAL_DATA.SECURITY_QUES_LANGUAGE,IMS_PRINCIPAL_DATA.SECURITY_QUES_COUNTRY,IMS_PRINCIPAL_DATA.SECURITY_QUES_VARIANT,IMS_PRINCIPAL_DATA.SECURITY_QUES_RESET,IMS_PRINCIPAL_DATA.FIRST_RBA_AUTH_DATE,IMS_PRINCIPAL_DATA.LAST_USED_SECONDARY_AUTH FROM IMS_PRINCIPAL, (SELECT IMS_PRINCIPAL_DATA.ID,IMS_PRINCIPAL_DATA.ROW_VERSION,IMS_PRINCIPAL_DATA.LAST_UPDATED_BY,IMS_PRINCIPAL_DATA.LAST_UPDATED_ON,IMS_PRINCIPAL_DATA.IDENTITY_SRC_ID,IMS_PRINCIPAL_DATA.IDENTITY_SRC_KEY,IMS_PRINCIPAL_DATA.OWNER_ID,IMS_PRINCIPAL_DATA.START_DATE,IMS_PRINCIPAL_DATA.EXPIRATION_DATE,IMS_PRINCIPAL_DATA.REGISTRATION_FLAG,IMS_PRINCIPAL_DATA.LOGINUID,IMS_PRINCIPAL_LOGIN_DATE.LOGIN_DATE,IMS_PRINCIPAL_DATA.ENABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATOR_FLAG,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_COUNT,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_DATE,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_COUNT,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_DATE,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_FLAG,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_DATE,IMS_PRINCIPAL_DATA.LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.EMERGENCY_LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_EMERGENCY_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.NOTES,IMS_PRINCIPAL_DATA.AUTHENTICATOR_BIT_FLAGS,IMS_PRINCIPAL_DATA.ADMINISTRATOR_FLAG,IMS_PRINCIPAL_DATA.EXUID,IMS_PRINCIPAL_DATA.SECURITY_QUES_ANSWERS,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_AUTHN,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_REG,IMS_PRINCIPAL_DATA.SECURITY_QUES_LANGUAGE,IMS_PRINCIPAL_DATA.SECURITY_QUES_COUNTRY,IMS_PRINCIPAL_DATA.SECURITY_QUES_VARIANT,IMS_PRINCIPAL_DATA.SECURITY_QUES_RESET,IMS_PRINCIPAL_DATA.FIRST_RBA_AUTH_DATE,IMS_PRINCIPAL_DATA.LAST_USED_SECONDARY_AUTH FROM IMS_PRINCIPAL_DATA WITH (NOLOCK) inner join IMS_PRINCIPAL_LOGIN_DATE on (IMS_PRINCIPAL_DATA.ID = IMS_PRINCIPAL_LOGIN_DATE.PRINCIPAL_ID) ) IMS_PRINCIPAL_DATA WHERE UPPER(IMS_PRINCIPAL.LOGINUID) = UPPER(IMS_PRINCIPAL_DATA.LOGINUID) AND IMS_PRINCIPAL_DATA.IDENTITY_SRC_ID = '000000000000000000001000d0011000' AND UPPER(IMS_PRINCIPAL.LOGINUID) = UPPER(?) ORDER BY UPPER(IMS_PRINCIPAL.LOGINUID)
2014-07-02 20:53:48,760, [castle-exec-56], (IMSUtilImpl.java:262), trace.com.rsa.riat.utils.IMSUtil, DEBUG, vcenter,,,,Could not find user vCO-146efc... in domain null
2014-07-02 20:53:48,761, [castle-exec-56], (DelegateRequestValidator.java:97), trace.com.rsa.riat.ws.security.trust.WSTrustContract, ERROR, vcenter,,,,Delegate is invalid
com.rsa.riat.ws.security.trust.authn.AuthnPluginException: Authentication Failed