1 2 3 4 Previous Next 48 Replies Latest reply on Jul 9, 2016 11:33 AM by hockeyguyin714 Go to original post
      • 45. Re: AppVols upgrade to 2.10 "NTLM Authentication failed for: Domain\user. Virtualization is disabled"
        epa80 Enthusiast

        I wanted to post about a few things we tried that SEEM to have resolved our issue. We did these 2 things and have not had the error on about 40 consecutive logins. I spoke with VMware support and they recommended the DEMO setting be set. We were going to go ahead and do it, when we decided to do these "maintenance" steps listed below. Once done, we've been pretty solidly set.


        1. Installed 90 Critical OS Patches on the Managers.
          • We had our AppVolumes instance spun up by VMware professional services a few months ago. We were lax in getting these things patched and on a regular schedule. That has been resolved as of yesterday as they are now on our monthly patching plan, but in the meantime, I figured I'd post a screenshot of the 90 we installed. I don't know how helpful that is for anyone to weed through 90 patches and see if any possibly made a difference, but, it is there for anyone to look.
        2. Statically set our WINS servers on the Managers.
          • We know that typically WINS isn't important, and from speaking to other AppVolumes customers, by and large it seems that AV does most of it's talking via DNS. Still, not all environments are the same, and WINS perhaps is utilized at our site differently than it is elsewhere. Again, I don't know if this was what did it at all, but, this was a step we performed on all 4 managers. My guess is it was just an oversight by professional services, as WINS may or may not be needed by the book for AppVolumes. Possibly just moot. As these are servers, and IP/Gateway/Subnet/DNS are all set statically, it just made sense to set WINS as that is our standard anyway.


        As I said, after doing this, we haven't seen the NTLM error 401 once. Would I be surprised to see it again? No, not at all. I am happy though we were able to do it without modifying the .bat file, as benign as that is. If it ends up coming back, we'll just move on to that step.


        Again see attached for the patches we installed. Maybe 1 will click with someone else experiencing the issue. Apologies for 3 screenshots, I couldn't get the entire list of 90 into one sheet.


        Edit: to clarify, our architecture:


        We have 4 Managers in each of our 2 Data Centers (8 Managers in total).

        Each side is behind a VIP: IE DC1-APPV has all 4 DC1 managers behind it, and DC2-APPV has all 4 DC2 managers behind it.

        On our parent image when installing the agent just points to their side's respective VIP.

        In each DC, we have 1 domain controller, so in regards to latency/replication, the VMs should never be leaving the DC to talk to their controller. Ditto the managers.


        Edit: my co-worker provided me with a spreadsheet of the patches installed, might be easier to view than those screenshots.

        • 46. Re: AppVols upgrade to 2.10 "NTLM Authentication failed for: Domain\user. Virtualization is disabled"
          K_Miller Novice

          We just started experiencing this issue on June 20th. It appears to have been resolved at this point. In the Appvol Manager I explicitly set my domain controller host name as a specific domain controller. Leaving this setting blank did not work and selecting the primary domain controller which holds all of our roles did not work.

          • 47. Re: AppVols upgrade to 2.10 "NTLM Authentication failed for: Domain\user. Virtualization is disabled"
            cyberfed2727 Enthusiast

            FWIW this is now actually in the documentation for 2.11 with steps on how to disable NTLM for App Vols.


            From page 18:


            Disable NTLM Authentication

            NTLM authentication is used to verify the user, computer, and the domain of the agent when it makes

            HTTP requests to the App Volumes Manager.

            You can allow or stop the HTTP request from proceeding by defining a system environment variable.


            1 On the App Volumes Manager machine, open Windows Explorer.

            2 Right-click My Computer.

            3 Click Properties > Advanced System Settings > Environment Variables.

            4 In the System Variables panel, click New.

            The New System Variable window appears.

            5 Enter AVM_NTLM_DISABLED in the Variable name text box.

            6 Enter 1 in the Variable value text box.

            7 Restart the App Volumes Manager service.

            This disables the NTLM authentication.


            I'm going to go out a limb and say that this config probably holds true for 2.10 and older installs as well. I'm speculating.

            In 2.10 pointing to a DC seemed to resolve the NTLM issue for all but one of our users. I don't like this method though if that DC is unavailable then App Vols is going to freak out.

            Best of luck.

            • 48. Re: AppVols upgrade to 2.10 "NTLM Authentication failed for: Domain\user. Virtualization is disabled"
              hockeyguyin714 Enthusiast
              VMware Employees

              It might be helpful to turn debug logging on the App Volumes Manager to see what Active Directory server was used to authenticate the user.   App Volumes logs the LDAP failure code which should give you some key indication why it failed or timed out or whatever the issue was.  http://kb.vmware.com/kb/2101668  You will want to look at production.log on the App Volumes Manager to see why the user failed to login.  Make sure to turn debug logging off after you figure out the possible cause.


              App Volumes Manager will talk to the DC that first responds to the query for that domain.   This can be controlled and limited by Active Directory Sites and Services to further increase success chances. 

              1 2 3 4 Previous Next