vCenter

 View Only
Expand all | Collapse all

Cannot login to vCenter 6.7u2 with Domain Credentials

D3m4dm

D3m4dmAug 30, 2019 01:21 PM

  • 1.  Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 28, 2019 03:27 PM

    Hello,

    I recently added my vCenter to my Active Directory Domain and set the Domain to be the default identity source. I logged out of the Local Admin User, downloaded the Advanced Authentication Plug-In or whatever it's called and selected Use Windows Session Authentication and clicked login and it worked! However, when I try to manually type in my domain credentials it always tells me "INVALID CREDENTIALS". I've tried Domain\DomainName, DomainName@Domain.Com, just my DomainName, I've even gone to my DC and reset my password to make sure I was using the correct password. Can anyone point me in the direction of where I should start looking to see what this issue is?

    Thanks,

    Jared Keyes



  • 2.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 29, 2019 12:41 PM

    Hey Jared,

    I ran into the same thing with mine originally. Did you upgrade/convert an older vCenter to 6.7u2, or is this a fresh install?

    Regardless, I found it better to use the command-line tools located in /opt/likewise/bin to get a better readout for how vCenter was connected to AD. My issue was that I had converted from a previous vCenter and the computer account associated in AD needed to be completely removed and re-added.

    Also, check your websso.log and ssoAdminServer.log files in /var/log/vmware/sso to see what errors are popping up.



  • 3.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 29, 2019 12:44 PM

    leave the domain (PSC) and reboot

    then add back reboot

    it will work



  • 4.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 29, 2019 03:16 PM

    UPDATE: Turns out I just need to delete the computer that was already in active directory to get it to connect again. Sorry, I'm still learning my way around vCenter. It's connected again, but the original problem still persists. Disconnecting and reconnecting did not fix the issue.

    Oof,

    I tried RajeevVCP4's solution first. After removing my vCenter from the domain and restarting it it can no longer find the domain.

    The cli give me the error message "Error: NERR_DCNotFound [code 0x00000995]" and the web client gives me the error "ldm client exception: Error trying to join AD, error code [2453], user [DomainName], domain [domain.com] orgUnit[]"

    Now, I've made sure I've opened ports 123, 135, 137, 139, 3268, 389, 445, 464, 88 using both tcp and udp as per this guide (https://www.altaro.com/vmware/how-to-join-esxi-to-active-directory-for-improved-management-and-security/ ) , I've created a host record and a ptr record in my DNS using the ip address of the vCenter, I've configured my vCenter to use my DC as an NTP service so their times are synced, but according to my firewall logs the vCenter server makes one query to my DC using port 53 which I've read is the DNS port and then fails.

    I'll continue to search those logs that Gidrakos mentioned, and if it matters the answer to their first question is that this was an upgrade from an older version of vCenter (5.5 I believe), but was rebuilt a few months ago because it wasn't working correctly. Any other ideas welcomed and appreciated.

    Jared Keyes



  • 5.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 29, 2019 07:17 PM

    FURTHER UPDATE:

    After digging through the logs I found this error code "Native platform error [code: 851968]". After a quick bit of googling I found a solution on an older post here on the community forum which was to.....leave the domain, delete the computer account on Active Directory, and rejoin the domain... pretty much exactly what was suggested earlier (After upgrade to 6.5 update 1 broken AD authentication). After trying this twice I'm still having the same error.

    Thoughts?

    Jared Keyes



  • 6.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Broadcom Employee
    Posted Aug 29, 2019 09:29 PM

    odd one , Check your host file in /etc, are you joining with the gui or the cli - what is the output of /opt/likewise/bin/domainjoin-cli query

    As mentioned before, the action plan should work

    Clean up AD

    Leave Domain /opt/likewise/bin/domainjoin-cli leave

    Reboot

    /opt/likewise/bin/domainjoin-cli join



  • 7.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 11:36 AM

    As I suggested in my original reply, and like johncol said, use the CLI to leave, delete computer object in AD, then use CLi to re-join and you should be good. That's what I ended up having to do.

    Glad you found something useful in the logs!



  • 8.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 12:05 PM

    Wrong Post. Excuse me



  • 9.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 12:28 PM

    Just guessting....

    - The error message indicated that you try to add something which is already there

    - It looks like youre trying to add somehing to local group. Why?

    What happends if you just grand permission to a user (maybe one you have never touch before, just for testing) and add him with a ROLE to vCenter?

    I have the feeling youre messing around with localos and vsphere.local which i also used but never to try something to add from the outside.

    Regards,

    Joerg



  • 10.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 12:57 PM

    I ran into the same thing in the web interface and couldn't get around it.

    Try using the CLI for managing groups as well. Everything you need (domain join, group management, etc) can be found in /usr/lib/vmware-vmafd/bin

    Those give you much more direct control without the overhead of HTML5 (and better logging).



  • 11.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 01:21 PM

    Wrong Post. Excuse me



  • 12.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 02:07 PM

    Hey D3m4dm,

    I think you may have clicked on the wrong topic. I don't think our problems are related and I don't want people getting confused as to what troubleshooting steps have or have not been performed.

    As for my original problem, I do use the cli for most things as I don't like the web client all that much.

    When I run: /opt/likewise/bin/domainjoin-cli query It returns:

    Name = photon-machine

    Domain = CORP.DOMAIN.COM

    Distinguished Name = CN=PHOTON-MACHINE,OU=Servers,OU=HQ,OU=Locations,DC=Corp,DC=Domain,DC=com

    (My domain is not actually called domain.com, I'm just erasing the actual name and replace it for privacy reasons)

    All that looks correct to me though.

    I will try to clean up AD and the remove and re-add it. Hopefully that helps.



  • 13.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Aug 30, 2019 02:09 PM

    Yes thats right I'am in the wrong post. Excuse me so much



  • 14.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 03, 2019 01:16 PM

    Alright, so, I'm pretty new to the organization, so if cleaning up AD is all that's necessary it's going to take me a little while to deep dive into it and figure out what everything is and what we don't need. In the mean time I have to questions, one related and one only semi-related.

    I was reading through some VMware KBs (specifically this one: Unable to Log In Using Active Directory Domain Authentication ). I ran the commands they suggested, I'm not a VMware expert, but all of the output LOOKED correct. Step 3 is to leave the domain and rejoin the domain, which we have established isn't the solution for me, at least, not yet. Step 4 says to restart all the services. The command they give (/bin/service-control --restart --all) isn't a valid one, but I was wondering if there was a valid command to cycle the services or if people had recommendations for which services I should try restarting.

    The other question I have is: We have a disabled users folder in our AD. The HTML 5 Web Client can only display 200 users for some reason and currently it is 75% full with disabled users or users from our contractor folder who have no reason to access our vCenter. Is there a way to make vCenter ignore certain folders in AD?

    Thanks,

    Jared Keyes



  • 15.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 04, 2019 02:49 PM

    "/bin/service-control --restart --all isn't a valid one" - Not sure why since it's working perfectly for me.

    From the looks of things, "service-control" lives in both /usr/bin/ and /bin/ as separate, but identical files. "which service-control" tells me /usr/bin is the default mapped one. service-control -? gives you some basic usage instructions. I can successfully use either one to list my services and get their information, including using the --all flag.

    As for the AD issue - would it be possible to simply move the old users to another OU? You can use a PowerShell script to quickly search for users who haven't used their accounts, have expired passwords, etc, and move them to a proper location so vSphere doesn't see them anymore.

    I am not aware of a way to tell vSphere to ignore users in an AD OU.



  • 16.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 04, 2019 03:03 PM

    Hey Gidrakos,

    That's really weird. When I try that command I get a message that says "Service-control failed. Error: Restart option takes exactly one service name as argument" Maybe I should try updating my vCenter?

    In regards to the AD issue, all of my disabled accounts are in a disabled account OU, but when I joined my vCenter to the domain I didn't tell it to point to a specific OU such as the users OU so I'm assuming it's pulling all the users from the every OU. Is it best practice to point vCenter to a specific OU?

    Thanks,

    Jared Keyes



  • 17.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 04, 2019 03:16 PM

    Ah - It's mad about you giving it the --all flag. You need to restart them one at a time from the looks of it, or whip up a script to do it for you as a batch. Sorry, I don't have a server available that I'm willing to try restarting ALL services on, so I couldn't debug that with you.

    Yes, if you simply add an Identity Source as an "AD (Integrated Windows Auth)" it doesn't allow you to specify an OU and, therefore, pulls everything it can find.

    I believe best practices is to use integrated auth when applicable, but I can't find the documentation on it. That being said, it's just as secure to specify the LDAP server/connection manually and use a specified certificate.



  • 18.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 04, 2019 03:19 PM

    It won't let me edit my previous post but, to add to that:

    You could always make an AD group to place users in and only add that group to the list of those who have privileges. That would mean those users, like vendors, who somehow wander onto your vSphere can login, but they won't see a thing.



  • 19.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 13, 2019 04:24 PM

    Quick Update:

    I've been working on getting my AD cleaned up like suggested. However, in the meantime I decided that I would just have people log on using the "Use Windows Session" checkbox, however it doesn't work for them! The keep being told that they have no permission to anything on the vCenter even though I've added them to my server admin group in AD. I then decided to remove my account from any admin group on vCenter including the one on my active directory and see if my account gets the same error, however I did not. So now I'm thinking that my AD is not actually replicating to my vCenter. Anybody else have that issue before?

    Thanks,

    Jared Keyes



  • 20.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Jul 09, 2020 03:54 PM

    Hello

    Did You find any solution for this problem. I have exactly the same issue.

    Regards

    Rafal



  • 21.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 01, 2020 07:54 PM

    Hi all,

    any news here? Wen ran in exactly the same problem: Upgrade from VCVA 6.5 U3 to VCVA 6.7 U3j. Upgrade runs fine without any problems. VCVA has a computer account in AD (functional level 2016), we have configured Windows Integrated Authentification as identity source in SSO (VC with integrated PSC). With VCVA 6.5 U3 the AD based permissions are working fine, with VCVA 6.7 U3j they are not any more working, when username and password are specified explicitely, but connecting to VCVA 6.7 U3j with Windows Session Credentials is working. So the identitiy source is not broken completely. There is no firewall etc. between VCVA and AD or between the browser and VCVA. Strange...

    We have opened a case for this with VMware Support.

    Anyway, help from you guys is very appreciated!

    Best regards,

    Christian

    P.S.: Thread  VCSA 6.7U1 AD Login not possible anymore  is IMHO discussing exactly the same issue.



  • 22.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Sep 02, 2020 11:19 AM

    Hi all,

    quick update: We resolved the problem as described in After upgrade to 6.5 update 1 broken AD authentication . Obviously, the problem has something to do with the structure of the AD namespace - but what exactly is unclear. Please note that removing the VCVA from the AD and readding it doesn't affect defined permissions. So you haven't expect problems from this side.

    Best regards,

    Christian



  • 23.  RE: Cannot login to vCenter 6.7u2 with Domain Credentials

    Posted Nov 07, 2023 09:31 AM

    I can tell you what worked for me, what i did was this rebooted the system with no network connectivity.