Standalone host. Here are the steps that make this so strange:

1. Diskless install of ESXi 6 using HP Image
2. Static IPv4 & hostname assignment in DCUI - IPv6 disabled as not in use and causing an error when un-configured (required reboot)
3. Login to host using the C# Client as: root
4. NTP configured and tested (ntpq -p), working - time is correct
5. AD joined
6. Successful login to host using the C# Client with "Windows session credentials" option (DOMAIN\user)
7. Configure iSCSI Storage & create VMFS 5 volume
8. Redirect log files to VMFS
9. Redirect scratch to VMFS (required reboot)

At this point, I am unable to login to the host using the C# Client with "Windows session credentials: option. This is where I see the gss_acquire_cred failed.

I can login to the host, however, using manually entered: user@domain.tld

Can you check /etc/likewise/krb5-affinity.conf and confirm everything looks correct ? do you have multiple dc's ? (not sure if this is a test lab or not)

Can you confirm you are using the FQDN of the esx host when connecting in the c client.

This error used to occur on 4.1, and the fix was to remove the file host_0 from /scratch/var/tmp but I'm not sure if that exists in 6 as my lab hosts aren't connected to AD.

Let me know.

R

Logging in using Windows credentials is one of the two problems I experience using vSphere Client. I actually have no problem entering Windows credentials manually, it’s the checkbox “Use Windows session credentials” that doesn’t work. See my post: vSphere 6.0 NTP Service and SSO malfunction

The checkbox is working fine from several clients after joining the domain until the host is rebooted. Removing and rejoining the host makes things work again until next reboot.

The scratchdir is set to a folder in the datastore. I also entered the FQDN of our RWDC in UserVarsActiveDirectoryPreferredDomainControllers without any luck. Removing the file /scratch/var/tmp/host_0 doesn’t help either. My /etc/likewise/lib/krb5-affinity.conf looks fine as far as I can tell.

Using the FQDN, host name or IP address makes no difference.

I have multiple DC’s (one RWDC and one RODC). I also have a domain trust. For us, this has been a permanent problem in 4.1, a solvable problem in 5.0 and no problem in 5.5. And now, the problem is back again …

RichardBush wrote:

Can you check /etc/likewise/krb5-affinity.conf and confirm everything looks correct ? do you have multiple dc's ? (not sure if this is a test lab or not)

Can you confirm you are using the FQDN of the esx host when connecting in the c client.

This error used to occur on 4.1, and the fix was to remove the file host_0 from /scratch/var/tmp but I'm not sure if that exists in 6 as my lab hosts aren't connected to AD.

Let me know.

R

Confirmed, all. /etc/likewise/krb5-affinity.conf looks fine and I always use FQDN for everything!

apendo wrote:

Logging in using Windows credentials is one of the two problems I experience using vSphere Client. I actually have no problem entering Windows credentials manually, it’s the checkbox “Use Windows session credentials” that doesn’t work. See my post: vSphere 6.0 NTP Service and SSO malfunction

The checkbox is working fine from several clients after joining the domain until the host is rebooted. Removing and rejoining the host makes things work again until next reboot.

The scratchdir is set to a folder in the datastore. I also entered the FQDN of our RWDC in UserVarsActiveDirectoryPreferredDomainControllers without any luck. Removing the file /scratch/var/tmp/host_0 doesn’t help either. My /etc/likewise/lib/krb5-affinity.conf looks fine as far as I can tell.

Using the FQDN, host name or IP address makes no difference.

I have multiple DC’s (one RWDC and one RODC). I also have a domain trust. For us, this has been a permanent problem in 4.1, a solvable problem in 5.0 and no problem in 5.5. And now, the problem is back again …

We have an almost identical experience through versions! VMware was much more careful with this version than certain previous messes, like 5.1, but it is becoming clear that the initial public release is not ready for prime-time.

I do not believe we will be able to Qualify this for use with all of the oddities we have experienced relating to authentication using AD. We will keep trying anything we can think of, to eliminate the possibility we have made a mistake, or there is a viable workaround. But until then, flakiness in authentication is a no-go!

My understanding is that you can authenticate correctly with AD, you are just unable to use Windows Session Credentials?

Could you confirm one thing for me, under host - configuration, DNS and Routing, Host Identification, can you confirm here that the hostname is correct, the domain name is correct (i believe you ve already checked the DNS servers) and the search domains are correct. All this should match up with the FQDN used to connect.

Thanks

Yes, I’m able to authenticate in vSphere Client when entering AD credentials manually. It’s when I activate the checkbox “Use Windows session credentials” I get the error message “A general system error occurred: gss_acquire_cred failed”.

The checkbox works initially after joining the host to the domain but stops working after the host is rebooted. If I remove the host from the domain and then rejoin it, the checkbox works again until the next reboot.

The host name is correct, the domain name is correct and the search domains are correct. They all match up with the FQDN used to connect.

Ok, i would suggest raising a case with VMware on this one.

R

Yes, that's probably where we are going. Since this is an installation for Qualification purposes, the intent is "take what you get" and judge its suitability for use on Production systems. I believe we will be waiting for the first major update (and 30-60 days of re-Qualification) to move to vSphere 6 in production.

If I were to guess, developers at VMware are under tremendous pressure not to release 3 major upgrades within the first 30-days of public release. The way they beta'ed this one and waited for release, I imagine they expected things to be nearly perfect!