VMware vSphere

Has anyone had issues with ESXi 6 update 2 and Active Directory authentication?  It appears to join the domain just fine (the server object gets created in AD) but I can't log in.  I can ping the domain and all the dcs.  DNS is pointed at a DC.

: Failed to group memberships of SID=(My User SID HERE). [error code:40286]

20160324135215:INFO:lsass:LsaDmpLdapReconnectCallback():lsadm.c:3214: Clearing ldap DC connection list for domain 'Domain.com' due to a network error.

20160324135215:DEBUG:LwLdapDirectorySearchEx():lwldap.c:791: [LwLdapDirectorySearchEx() ../lwadvapi/threaded/lwldap.c:791] Ldap error code: 40286

20160324135215:DEBUG:LwLdapDirectoryExtendedDNSearch():lwldap.c:1962: [LwLdapDirectoryExtendedDNSearch() ../lwadvapi/threaded/lwldap.c:1962] Error code: 40286 (symbol: <null>)

20160324135215:DEBUG:lsass:LsaDmLdapDirectoryExtendedDNSearch():lsadm.c:3568: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:DEBUG:lsass:ADLdap_GetAttributeValuesList():adldap.c:1366: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:DEBUG:lsass:ADLdap_GetObjectGroupMembership():adldap.c:1688: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:ERROR:lsass:ADLdap_GetObjectGroupMembership():adldap.c:1757: Failed to group memberships of SID=(My User SID HERE). [error code:40286]

20160324135215:DEBUG:lsass:AD_PacMembershipFilterWithLdap():online.c:1162: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:DEBUG:lsass:AD_CacheGroupMembershipFromPac():online.c:1353: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:DEBUG:lsass:AD_OnlineCheckUserPassword():online.c:1816: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:DEBUG:lsass:AD_OnlineAuthenticateUserPam():online.c:1909: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:DEBUG:lsass:LsaSrvAuthenticateUserPam():auth.c:120: Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)

20160324135215:ERROR:lsass:LsaSrvAuthenticateUserPam():auth.c:174: Failed to authenticate user (name = 'User@Domain.com') -> error = 40286, symbol = LW_ERROR_LDAP_SERVER_DOWN, client pid = 35954

20160324135215:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():peer-task.c:895: (assoc:0x1f1013b0) Dropping: Connection closed by peer

20160324135215:DEBUG:LwKrb5SetThreadDefaultCachePath():lwkrb5.c:410: Switched gss krb5 credentials path from <null> to FILE:/etc/likewise/lib/krb5cc_lsass.Domain.com

20160324135215:VERBOSE:lsass:AD_CheckExpiredObject():online.c:2001: Using cache entry for sid S-1-5-21-3658379808-1708799015-1379952707-83163, updated 1044 seconds ago

20160324135215:DEBUG:LwKrb5SetThreadDefaultCachePath():lwkrb5.c:410: Switched gss krb5 credentials path from <null> to FILE:/etc/likewise/lib/krb5cc_lsass.Domain.com

20160324135215:VERBOSE:lsass:AD_CheckExpiredObject():online.c:2001: Using cache entry for sid S-1-5-21-3658379808-1708799015-1379952707-83163, updated 1044 seconds ago

20160324135217:VERBOSE:lsass:LsaSrvIpcCheckPermissions():ipc_state.c:79: Permission granted for (uid = 0, gid = 0, pid = 84440) to open LsaIpcServer

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():peer-task.c:271: (session:af426f444a751a18-231291411ab31d27) Accepted association 0x1f0f7228

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():peer-task.c:895: (assoc:0x1f0f7228) Dropping: Connection closed by peer

20160324135217:VERBOSE:lsass:LsaSrvIpcCheckPermissions():ipc_state.c:79: Permission granted for (uid = 0, gid = 0, pid = 84440) to open LsaIpcServer

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():peer-task.c:271: (session:f3984d013795f5fb-7c033ed7f8e93f5a) Accepted association 0x1f0b9e18

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():peer-task.c:895: (assoc:0x1f0b9e18) Dropping: Connection closed by peer

20160324135217:VERBOSE:lsass:LsaSrvIpcCheckPermissions():ipc_state.c:79: Permission granted for (uid = 0, gid = 0, pid = 84441) to open LsaIpcServer

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():peer-task.c:271: (session:fec44f4ec5ad69a5-a9c45595908d5eae) Accepted association 0x1f1013b0

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():peer-task.c:895: (assoc:0x1f1013b0) Dropping: Connection closed by peer

20160324135217:VERBOSE:lsass:LsaSrvIpcCheckPermissions():ipc_state.c:79: Permission granted for (uid = 0, gid = 0, pid = 84441) to open LsaIpcServer

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():peer-task.c:271: (session:734c74cc6f62b2b3-7438b01d2ca183ef) Accepted association 0x1f0f7228

20160324135217:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():peer-task.c:895: (assoc:0x1f0f7228) Dropping: Connection closed by peer

20160324135217:DEBUG:LwKrb5SetThreadDefaultCachePath():lwkrb5.c:410: Switched gss krb5 credentials path from <null> to FILE:/etc/likewise/lib/krb5cc_lsass.Domain.com

20160324135217:DEBUG:lsass:MemCacheFindUserByName():memcache.c:937: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)

20160324135217:DEBUG:lsass:LsaSrvFindProviderByName():state.c:128: Error code: 40040 (symbol: LW_ERROR_INVALID_AUTH_PROVIDER)

20160324135217:DEBUG:lsass:LsaSrvProviderServicesDomain():provider.c:151: Error code: 40040 (symbol: LW_ERROR_INVALID_AUTH_PROVIDER)

20160324135217:DEBUG:LwLdapDirectorySearch():lwldap.c:716: [LwLdapDirectorySearch() ../lwadvapi/threaded/lwldap.c:716] Ldap error code: 40286

20160324135217:INFO:netlogon:LWNetSrvGetDCName():dcinfo.c:97: Looking for a DC in domain 'Domain.com', site '<null>' with flags 0

20160324135217:DEBUG:lsass:LsaLdapOpenDirectoryWithReaffinity():lsaldap.c:152: Using DC 'DC.Domain.com' for domain 'Domain.com' (affinitization attempt 0)

20160324135217:DEBUG:LwKrb5CheckInitiatorCreds():lwkrb5.c:1601: GSS API error calling gss_init_sec_context(): majorStatus = 0x00000001 (The routine must be called again to complete its function), minorStatus = 0x00000000 (Unknown error)

Have you logged in as administrator@vsphere.local and check that the account that you are trying to use has the correct permissions? I have a VSphereAdmins group in AD which is added to VCenter.

See here if you have completed this step:

vSphere 5.5 Documentation Center

Brad

try restarting the Lsassd daemon

/etc/init.d/lsassd stop

/etc/init.d/lsassd start

I am not sure about this but do we need to add permissions on the ESXi hosts on authentication is enabled for the user to actually login

We are having the exact same issue with our ESXi 6 update 2 hosts. The hosts can be joined to our domain and we can add permissions for domain users/groups via vSphere client.

However, domain users cannot authenticate with their password. Interestingly, a domain user can log in via the vSphere option "use Windows session credentials".

DNS also points to one of our DCs.

We also tried restarting the lsass services to no avail.

20160329130837:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 349457) to open LsaIpcServer

20160329130837:VERBOSE:lsass-ipc: (session:67f033cf66e0141f-f995dadfb2442bb7) Accepted association 0x1f0a78a0

20160329130837:INFO:netlogon: Looking for a DC in domain 'our.domain', site '<null>' with flags 100

20160329130837:INFO:netlogon: Looking for a DC in domain 'our.domain', site '<null>' with flags 100

20160329130837:INFO:netlogon: Looking for a DC in domain 'our.domain', site '<null>' with flags 140

20160329130837:VERBOSE:lsass-ipc: (assoc:0x1f0a78a0) Dropping: Connection closed by peer

20160329130837:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 349458) to open LsaIpcServer

20160329130837:VERBOSE:lsass-ipc: (session:103d002412d1e245-5cb0f43b154fb2fc) Accepted association 0x1f0a78a0

20160329130837:INFO:netlogon: Looking for a DC in domain 'our.domain', site '<null>' with flags 0

20160329130838:VERBOSE:lsass-ipc: (assoc:0x1f0a78a0) Dropping: Connection closed by peer

I'm having this exact same problem since upgrading. If I specifically add the user's account, all is well.

Same problem here, 6.0 U2, server is joined to domain, rebooted, I can't log in as an AD user that is a member of the AD group we have defined in

Config.HostAgent.plugins.hostsvc.esxAdminsGroup. Logging in with the root account, I can see that the AD group we configured is assigned the Administrator role.

vSphere Client error is "Cannot complete login due to an incorrect user name or password."

likewise.log error is:

20160407224921:ERROR:lsass: Failed to group memberships of SID=<SIDREMOVED>. [error code:40286]

20160407224921:ERROR:lsass: Failed to authenticate user (name = 'domain\useraccount') -> error = 40286, symbol = LW_ERROR_LDAP_SERVER_DOWN, client pid = 35224

But if I try to log in as the same exact user when checking "Use Windows session credentials" I get "The vSphere Client could not connect to <server>.  You do not have permission to login to the server"

20160407230013:ERROR:lsass: Failed to group memberships of SID=S-1-5-21-3631833995-499989989-2000863303-7251979. [error code:40286]

20160407230013:ERROR:lsass: Failed to find memberships for user 'DOMAIN\USERACCOUNT' (error = 40286)

Adding my AD user account with Administrator permission while logged in with the client to the host, I am permitted to log in after that.

Hi,

Have you try to remove the Identify Source and added again??

Also have you try the user to add domain/user and password manually?? Does it work?

In the Identity Sources is using Active Directory, or LDAP? Also Base DN  and Users should point to the root and not Groups.

When using LDAP the port Port 3268 should be this one.

Try those to see if it fix the issue

I'm using AD. I did remove and re-add it as the authentication method. I also removed the host from the domain, deleted it in AD, then joined it again.

If I put in domain/user and password manually, it does not work.

If I do an "Add permissions" and specify the user's AD account, everything returns to normal.

Hi,

After you remove and add Identify Sources, you may lose User Permissions, so you should add them again.

Hi,

At least in our case that didn't help. After changing the identity source I deleted and added all permissions for domain users, but these users are still not able to log in (incorrect user name or password).

We are also having this problem. I have two different ESXi 6.0.0 hosts, upgraded to build 3825889, and both are unable to authenticate users to Active Directory. I have:

- Enabled the lwsmd service

- Un-joined and re-joined the domain (this works normally)

- Added permissions by user and group (Permissions dialog has no trouble looking up users or groups as long as lwsmd is running)

- Allowed outbound "NFS Client" access (per instructions for ESXi 5.x: VMware KB: ESXi 5.x host connects to domain but users cannot authenticate)

My ESXi (standalone) and Vcenter version 5.5 clients can all authenticate to this domain just fine.

Errors from hostd.log:

[module:pam_lsass]pam_do_authenticate: error [login:username@domain.suffix][error code:40286]

[module:pam_lsass]pam_sm_authenticate: failed [error code:40286]

pam_succeed_if(vmware-authd:auth): error retrieving information about user username@domain.suffix

pam_succeed_if(vmware-authd:auth): error retrieving information about user username@domain.suffix

pam_unix(vmware-authd:auth): check pass; user unknown

pam_unix(vmware-authd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Rejected password for user username@domain.suffix from <IP address of my workstation>

Errors from syslog.log:

lwsmd: encoded packet size too big (4830 > 4096)

lwsmd: [lsass] Failed to authenticate user (name = 'username@domain.suffix') -> error = 40286, symbol = LW_ERROR_LDAP_SERVER_DOWN, client pid = 34329

2016-05-24T20:02:10Z lwsmd: [netlogon] Looking for a DC in domain 'domain.suffix', site '<null>' with flags 0

2016-05-24T20:02:11Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'domain.suffix' due to a network error.

I ran into similar problems but think I found a work around.

I got AD Auth working by using the default "ESX Admins" group and creating a test account that only belongs to "ESX Admins" & "Domain Users" groups.  Using my existing admin account that has multiple group memberships including nested groups would fail with errors similar to the one you are getting.

Followed KB to configure AD Authentication and changed default AD Group (not using "ESX Admins")

Configuring the ESXi host with Active Directory authentication (2075361) | VMware KB

KB article states the reboot is not required, but I found that reboot IS REQUIRED.  The non-default group would not work until ESXi host was rebooted.

Found another KB article that includes a work around for "known issue affecting ESXi 6.0 Update 2"

Actions performed against Active Directory may fail after upgrading to ESXi 6.0 Update 2 (2145400) | VMware KB

Implemented the documented work around and I was able to login with my existing admin account.

One problem remains: "This work around does not persist across reboots" so the work around has to be re-applied every time an ESXi host is rebooted.

Also hitting the same issue, some of the older standalone hosts I setup in the exact same way (running an older build) are working but a new host I have been setting up today refuses to allow AD Authentication.

One thing I've noticed is that on the hosts it works, the Event Entries in ESXi show User Domain\Username@workstationIP whereas the hosts that don't work never show the prefixed domain. What that means and how to get around it I don't know but it seems like it's not applying that prefix and it's therefore trying to login with a local account.

None of the workarounds have seemed to work for me just yet.