VMware vSphere

 View Only

  • 1.  Login with SSPI or Enhanced Authentication Plugin fails

    Posted Sep 30, 2021 08:32 AM

    Hi

    Have multiple vCenters ( 6.7 & 7 ) that has issues with logging into them using Enhanced Authentication Plugin in a browser or using connect-viserver with PowerCli and here comes the twists.

    1. The problem is on a new Windows 2019 server - The old Windows 2012R2 does not have any issues with this ( So it is not vCenter issue )

    2. The primary vCenter (lets call it VC1 - vCenter 6.7 ) does not have this issues logging in (Without providing username/password), only all the others ( VC2 (6.7), VC3 (7.0), VC4 (7.0) )

     

    Has any one seen this, seems like it is Windows related but why does VC1 work then?

     

    Example Windows 2012R2:

    Connect-VIServer $vc1 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI

Name                           Port  User
----                           ----  ----
xxx                            443   zzz


Connect-VIServer $vc2 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI

Name                           Port  User
----                           ----  ----
xxx                            443   zzz

     

    Example from 2019:

    Connect-VIServer $vc1 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI

Name                           Port  User
----                           ----  ----
xxx                            443   zzz


Connect-VIServer $vc2 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/yyy'. Error code: 0x80090342
VERBOSE: Connect using SSPI was unsuccessful
Connect-VIServer : 9/30/2021 10:27:33 AM        Connect-VIServer                Could not determine user name and/or password for server xxx
At line:1 char:1
+ Connect-VIServer $vc2 -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException
    + FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

     



  • 2.  RE: Login with SSPI or Enhanced Authentication Plugin fails
    Best Answer

    Posted Sep 30, 2021 12:36 PM

    Found the solution - RC4 encryption needs to be enabled in the local policy

    MichaelRyom_0-1633003285453.jpeg

    Another possible fix, that we need to have tested is to add the encryption types to the computer objects in Active Directory. As can be seen the yyy is VC1 which is working and xxx is one of the once not working ( before the above fix/workaround )

     

    Get-ADComputer XXX -Properties KerberosEncryptionType

KerberosEncryptionType : {}

Get-ADComputer yyy -Properties KerberosEncryptionType

KerberosEncryptionType : {RC4, AES128, AES256}

     

     

     

    Errors related to this is:

    eRR-ETYPE-NOSUPP (14) - Wireshark

    krb5kdc-err-etype-nosupp

    MS KBs: