vCenter 5.1 SSO and failure to successfully authenticate users

I have experienced this problem with the 5.1 upgrade including the latest 5.1.0b. In fact the latest patch makes it impossible to add users explicitly via the vSphere client whereas previously I could do this.

The problem description is as follows:

• Users do not authenticate via the web client or via vSphere client
• Users receive the error "Cannot complete login due to an incorrect user name or password" on the vSphere client
• Users receive the error "The authentication server returned an unexpected error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.

Things I have tried:

• I have followed this article but the solution re: RPC server not available does not apply as this does not appear in the logs @ http://kb.vmware.com/kb/2034798
• Added new domain users
• Explicitly added users in the vSphere client giving them full administrative privileges and propogating to all child objects
• Domain groups which the users are part of (IT Operations) are added under SSO administrators group (SSO Users and Groups --> Groups --> __Administrators__ have the principals 'ITOperations' and 'Domain Admins' - they are both Active Directory groups)

Observations:

• Putting the user in the 'Domain Admins' group allows the user to successfully log-in to both vSphere and web clients - obviously this is not a practical solution to the problem but unsure as to why it works - members of the IT Operations group can successfully log-in to the vCenter server so also unsure as to what permissions would be required for this to work.
• Granting users explicit access via the vSphere client used to work in previous version of 5.1.0 - with 5.1.0b the users get the "Cannot complete login" error

Our set-up:

• vCenter sits on Server 2008 R2 Enterprise
• Active Directory runs in our environment and handles all log-ins - SSO should be set-up to intergrate itself with AD but not sure why it's not working
• 1 ESXi 5.0 host

imsTrace log:

2013-01-03 13:48:51,781, [castle-exec-1], (LocalisAccessHelper.java:567), trace.com.rsa.ims.localis.LocalisAccessHelper, DEBUG, vCenter.Company.local,,,,Invoking GetAllLocalOSDomains() Local OS call
2013-01-03 13:48:51,842, [castle-exec-1], (LocalisAccessHelper.java:575), trace.com.rsa.ims.localis.LocalisAccessHelper, DEBUG, vCenter.Company.local,,,,GetAllLocalOSDomains Local OS call status 0
2013-01-03 13:48:51,855, [castle-exec-1], (LocalisAccessHelper.java:523), trace.com.rsa.ims.localis.LocalisAccessHelper, DEBUG, vCenter.Company.local,,,,Invoking GetUserGroupsByName(COMPANY\vspheretest) Local OS call
2013-01-03 13:48:51,958, [castle-exec-1], (LocalisAccessHelper.java:531), trace.com.rsa.ims.localis.LocalisAccessHelper, DEBUG, vCenter.Company.local,,,,GetUserGroupsByName Local OS call status 6
2013-01-03 13:48:51,964, [castle-exec-1], (GroupAccessLocalIS.java:313), trace.com.rsa.ims.admin.dal.localis.PrincipalAccessLocalIS, DEBUG, vCenter.Company.local,,,,Lookup failure: [GroupInfo.c:254] NetUserGetLocalGroups failed: Access is denied.

2013-01-03 13:48:51,969, [castle-exec-1], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, vCenter.Company.local,,,,Error while trying to generate RequestSecurityTokenResponse
com.rsa.common.UnexpectedDataStoreException: Unexpected Local OS exception
    Caused by: com.rsa.ims.localis.LocalisAccessError: Local O/S Identity Source Error: LOCALIS_STATUS_INTERNAL, extended error: 5 : [GroupInfo.c:254] NetUserGetLocalGroups failed: Access is denied.

imsRuntimeAudit log:

2013-01-03 13:48:51,580, <longstring1>,<longstring2>,,192.168.0.110,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,<longstring3>,<longstring4>,<longstring5>,<longstring6>,vspheretest,vspheretest,SYSTEM,,,,,,000000000000000000001000f0022001,LDAP_Password,,,,,,,,,,,,,

vpxd log:

2013-01-03T13:48:50.565Z [00620 info '[SSO]' opID=C001001B-00000004-3b] [UserDirectorySso] Authenticate(vspheretest, "not shown")
2013-01-03T13:48:52.049Z [00620 error '[SSO]' opID=C001001B-00000004-3b] [UserDirectorySso] AcquireToken SsoException: Unexpected SOAP fault: ns0:RequestFailed; request failed.
2013-01-03T13:48:52.049Z [00620 error 'authvpxdUser' opID=C001001B-00000004-3b] Failed to authenticate user <vspheretest>
2013-01-03T13:48:56.051Z [00620 info 'commonvpxLro' opID=C001001B-00000004-3b] [VpxLRO] -- FINISH task-internal-574 --  -- vim.SessionManager.login --
2013-01-03T13:48:56.051Z [00620 info 'Default' opID=C001001B-00000004-3b] [VpxLRO] -- ERROR task-internal-574 --  -- vim.SessionManager.login: vim.fault.InvalidLogin:
--> Result:
--> (vim.fault.InvalidLogin) {
-->    dynamicType = <unset>,
-->    faultCause = (vmodl.MethodFault) null,
-->    msg = "",
--> }
--> Args:
-->