https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409950#M15709 <HTML><HEAD></HEAD><BODY><P>Make sure you have configured nameservers in <STRONG>/etc/resolv.conf</STRONG> of VCSA.</P></BODY></HTML> Tue, 15 Aug 2017 12:10:22 GMT vijayrana968 2017-08-15T12:10:22Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409949#M15708 <HTML><HEAD></HEAD><BODY><P>I have upgrade VCSA to 6.5 Update 1 (from 6.5)</P><P>After this I can't login using AD credentials. administrator@vsphare.local is still working</P><P>Logs say:</P><P>Invalid credentials</P><P>exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968]</P><P></P><P>Network packects at port 389 are going. And i can add permissions at objects: vcenter sees users from AD.</P><P>"Identify Source" for domain is configured with "use machine account".</P><P>When i try to using SPN, I need type SPN as STS/domain.local, but i have error: SPN can't be found</P><P></P><P>Now i have configured AD as LDAP service, but it is not good way.</P><P></P><P>Does anyone know something about this problem ?</P></BODY></HTML> Tue, 15 Aug 2017 11:33:29 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409949#M15708 KuznetsovA 2017-08-15T11:33:29Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409950#M15709 <HTML><HEAD></HEAD><BODY><P>Make sure you have configured nameservers in <STRONG>/etc/resolv.conf</STRONG> of VCSA.</P></BODY></HTML> Tue, 15 Aug 2017 12:10:22 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409950#M15709 vijayrana968 2017-08-15T12:10:22Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409951#M15710 <HTML><HEAD></HEAD><BODY><P>Checked. It is ok.</P><P>and krb5.conf too.</P></BODY></HTML> Tue, 15 Aug 2017 12:36:20 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409951#M15710 KuznetsovA 2017-08-15T12:36:20Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409952#M15711 <HTML><HEAD></HEAD><BODY><P>VCSA FQDN is resolving successfully ?</P></BODY></HTML> Tue, 15 Aug 2017 12:54:40 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409952#M15711 vijayrana968 2017-08-15T12:54:40Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409953#M15712 <HTML><HEAD></HEAD><BODY><P>Check if it works for you <A href="http://raoconnor.com/vsphere-6/creating-an-spn-for-use-with-vcsa-6/" title="http://raoconnor.com/vsphere-6/creating-an-spn-for-use-with-vcsa-6/">Creating an SPN for use with VCSA 6 – cloud, virtualization and sddc blog</A> </P></BODY></HTML> Tue, 15 Aug 2017 13:05:41 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409953#M15712 vijayrana968 2017-08-15T13:05:41Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409954#M15713 <HTML><HEAD></HEAD><BODY><P>I have created SPN. Checked that it exists.</P><P>But I can't use it.</P><P>I input SPN, username and password, but i received in gui: "No principal name found".</P><P></P><P>In logs: </P><P>vmware-sts-idmd.log: probeAdConnectivity failed for <EM>user@domain</EM></P><P>ssoAdminServer.log: ERROR com.vmware.identity.admin.server.ims.impl.DomainManagementImpl] Invalid crendential? principalName: [<EM>user@domain</EM>], details: [probeAdConnectivity failed for <EM>user@domain</EM>]</P><P>The specified principal (<EM>user@domain</EM>) is invalid.</P><P>com.vmware.vim.sso.admin.exception.InvalidPrincipalException: The <SPAN style="text-decoration: underline;">specified principal</SPAN> (<EM>user@domain</EM>) is invalid.</P><P></P><P></P><P>But with the same user and password i can configure AD as LDAP.</P><P></P><P>Any ideas ?</P></BODY></HTML> Tue, 15 Aug 2017 14:27:25 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409954#M15713 KuznetsovA 2017-08-15T14:27:25Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409955#M15714 <HTML><HEAD></HEAD><BODY><P>Can you check if the vCSA has joined the Domain from CLI. </P><P></P><P><SPAN style="font-size: small; font-family: 'Courier New';">/opt/likewise/bin/domainjoin-cli query </SPAN></P><P></P><P><SPAN style="font-size: small; font-family: 'Courier New';">and if it is already joined the domain, then try the below steps in order to correct the behavior </SPAN></P><P></P><P></P><P><SPAN style="font-weight: bold; color: #333333; font-family: 'VM Regular';">In disjoint domain namespace the domain users might fail to authenticate after you update to vSphere 6.5 Update 1</SPAN></P><P style="margin-bottom: 10px; color: #333333; font-family: 'VM Regular';">After you update a Platform Services Controller Appliance to vSphere 6.5 Update 1, in the disjoint domain namespace the users might fail&nbsp; to authenticate.</P><P style="margin-bottom: 10px; color: #333333; font-family: 'VM Regular';">1. Log in to the Platform Services Controller Appliance as root and activate the bash shell.<BR />2. Leave the domain by running the <CODE style="font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 12.6px; color: #c7254e; background-color: #f9f2f4; padding: 2px 4px;">/opt/likewise/bin/domainjoin-cli leave </CODE>command.<BR />3. Reboot the appliance.<BR />4. Delete the computer account on the Active Directory.<BR />5. Log in to the appliance again and enable the bash shell.<BR />6. Join to the domain by running the following command <CODE style="font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 12.6px; color: #c7254e; background-color: #f9f2f4; padding: 2px 4px;">/opt/likewise/bin/domainjoin-cli join <EM>domain-name</EM> <EM>domain_admin_user</EM></CODE><BR />for example: <CODE style="font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 12.6px; color: #c7254e; background-color: #f9f2f4; padding: 2px 4px;">/opt/likewise/bin/domainjoin-cli join <EM>vmware.com administrator</EM></CODE><BR />7. Reboot the appliance.</P><P style="margin-bottom: 10px; color: #333333; font-family: 'VM Regular';"></P><P style="margin-bottom: 10px; color: #333333; font-family: 'VM Regular';">Release notes link: <A href="https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-651-release-notes.html" title="https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-651-release-notes.html">VMware vCenter Server 6.5 Update 1 Release Notes</A> </P></BODY></HTML> Tue, 15 Aug 2017 21:32:27 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409955#M15714 Camero 2017-08-15T21:32:27Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409956#M15715 <HTML><HEAD></HEAD><BODY><P>Thank You.</P><P>After correct /etc/hostname by hand ("<SPAN style="font-size: small; font-family: 'Courier New';">/opt/likewise/bin/domainjoin-cli sethostname" got error) and join by hand, I got oportunity to add Windows authentication mechanism.<BR /></SPAN></P><P></P></BODY></HTML> Wed, 16 Aug 2017 13:27:18 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409956#M15715 KuznetsovA 2017-08-16T13:27:18Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409957#M15716 <HTML><HEAD></HEAD><BODY><P>It is the same for me.</P><P>After a reboot I noticed that the hostname has been set back to "<SPAN style="font-family: courier new,courier;">localhost.localdom</SPAN>".</P><P></P><P>I used the command</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_macro_code _jivemacro_uid_15041814865898882 jive_text_macro" data-renderedposition="93.5_8_1232_16" jivemacro_uid="_15041814865898882" modifiedtitle="true"><P><CODE>/opt/likewise/bin/domainjoin-cli join <EM>domain-name</EM> <EM>domain_admin_user</EM></CODE></P></PRE><P>to change it back and <STRONG>didn't reboot</STRONG> after that.</P><P>Immediately after changing the name the AD authentication worked again.</P><P></P><P>This has to be a bug not yet resolved ... pretty bad that you have to search for hours for something that hasn't been a problem in the past.</P></BODY></HTML> Thu, 31 Aug 2017 12:11:27 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409957#M15716 NelsonCandela 2017-08-31T12:11:27Z https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409958#M15717 <HTML><HEAD></HEAD><BODY><P>The reason could also be the domain functional level, see compatibility matrix below</P><P><span class="lia-inline-image-display-wrapper" image-alt="pastedImage_0.png"><img src="https://communities.vmware.com/t5/image/serverpage/image-id/1347iAF8B036A7C5861AA/image-size/large?v=v2&amp;px=999" role="button" title="pastedImage_0.png" alt="pastedImage_0.png" /></span></P></BODY></HTML> Sun, 10 Jun 2018 21:32:33 GMT https://communities.vmware.com/t5/vSphere-Upgrade-Install/After-upgrade-to-6-5-update-1-broken-AD-authentication/m-p/1409958#M15717 TomasLupek 2018-06-10T21:32:33Z