topic Re: Can't use Windows session authentication after change from machine account to LDAPS in vCenter™ Server Discussions

Can't use Windows session authentication after change from machine account to LDAPS

Raudi — Fri, 12 Aug 2022 09:02:18 GMT

Hi,

i changed a customers VCSA 7.0.3.00500 from machine account to LDAPS, now we get this error when trying to use the Windows session authentication:

The specified target is unknown or unreachable

I found nothing regarding this error, what log-files should i search to find what goes wrong? Or what must i change to fix that error?

All other is working, login with only username, domain\username or username@domain.

Kind regards
Stefan

Re: Can't use Windows session authentication after change from machine account to LDAPS

Raudi — Tue, 16 Aug 2022 13:49:50 GMT

The same i have now in the PowerShell:

VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'vc' to 'vc.domain.intern'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'domain\user'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vc.domain.intern'. Error code: 0x80090303
VERBOSE: Connect using SSPI was unsuccessful

I found something with google, that the VCSA still needs to be a member of the AD, is that possible?

Perhaps i need to rejoin the VCSA to the AD but then still use the LDAPS for authentication and not the machine account?

Re: Can't use Windows session authentication after change from machine account to LDAPS

Raudi — Tue, 16 Aug 2022 13:28:21 GMT

o.k. i made some tests in my testing environment, there i have the same problem and i'm using LDAPS too.

I joined the VCSA to the domain, but this has no change, only join isn't enough.

After deleting the LDAPS identity source and created a Machine Account identity source, i was able to connect to the vCenter in the PowerShell without entering my credentials.

So with IWA the login with the AD session is working but not with LDAPS.

Will this work with LDAPS? Or is this a limitation in LDAPS?

Re: Can't use Windows session authentication after change from machine account to LDAPS

Raudi — Tue, 16 Aug 2022 15:18:53 GMT

Seems to be by design.

When using AD with LDAPS no session authentication is possible, that is the feedback from the support.

The prerequisites for session authentication is that the vCenter is "joined" to the AD.

Will be nice when such informations will be written more clear in the documentation or in several KB articles, for example here: Deprecation of Integrated Windows Authentication (78506) (vmware.com)