Have an existing 4-host cluster of ESXi 6.5. Most of the time we use vSphere to manage our environment and we have it joined to our local domain and permissions are set using domain groups or individual users. However, when I try to login directly to one of the hosts as a domain user that has full admin rights through vSphere, it doesn't work. I have to login to each host as the "root" account. Once on the host, under Manage\Authentication I see it is Active Directory enabled, membership status is OK and it shows the appropriate domain. If I click Users, then Add a User, I do not get presented an option to add a domain users, just create a new local user. Any ideas?
Please check the SSO configurations and check if supplied domain account is active ?
Then recheck your permissions given to vCenter on domain objects.
In vSphere, I checked the Administration\SSO\Configuration\Identity Sources and see our AD domain listed as the default. I do not see anywhere to specify or check what account is being used to communicate with AD. Looking under SSO\Users & Groups, I see all the AD users and groups listed so it is communicating. Looking over permissions again, I see that the correct group has the Administrator role specified for each of the 4 hosts. Members of this group can login to the vSphere client, but still can't login directly to a single host.
Are your hosts joined to your domain correctly ?
Any of your impacted host should show "Active Directory" & "<yourdomainname>" in "Authentication Services" under configuration tab.
I do see both those values under "Authentication Services" for each impacted host, this has always shown. I tried a direct login to a host using my domain admin credentials and it didn't work. So, I logged into that host using the "root" credentials to poke around some more. On the main page is the banner bar saying "This host is being managed by a vCenter Server..blah blah blah". Well, I noticed that "Actions" was clickable, so I clicked that and one of the options is "Permissions". Looking at Permissions window, it shows "dcui", "root", and "vpxuser". So I click "Add user", then thought I would try adding my domain admin group as "<domain>\domain admins", and it took it. I logged out, then tried logging into the same host with my domain admin credentials and it now lets me in! If I look at Manage\Security & Users\Users on the host, I still only see the "root" account as an Administrator role, I see nothing else listed there. Still confused, but it seems I'm getting somewhere.
When you add your ESXi host to AD (https://kb.vmware.com/s/article/2075361) you can change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup advanced setting to match the Administrator group that you want to use in the Active Directory. After that, any member of that group can logon to the ESXi host.