Solved: Re: ESXi 4.1 gss_acquire_cred failed on login

TBKDan · ‎09-01-2010

I have an ESXi 4.1 with the free license installed on a Dell Poweredge 1950. I joined it to our Active Directory domain and everything was working great until yesterday. Whenever anybody tries to login with "Use Windows Session Credentials" it fails with a simple dialog to the client stating "gss_acquire_cred failed" and "Ok". If I manually type in DOMAIN\username and the password, it logs in just fine. This is happening on both XP and Win7 clients. I originally thought it was an isolated client issue until I started getting it as well - I then saw the errors in the hostd.log on the server. I've tried rebooting the server with no effect. Any ideas?

~~2010-09-01 14:46:03.179 3B340B90 verbose 'HTTP server'~~ Sent response for HEAD /client/clients.xml (from /usr/lib/vmware/hostd/docroot)

~~2010-09-01 14:46:03.259 3B340B90~~ error 'GSSAPI' opID=ED424956-00000003 gss_acquire_cred failed: (0x000d0000, 0x96c73aa9)

~~2010-09-01 14:46:03.259 3B340B90 info 'App' opID=ED424956-00000003~~ AdapterServer caught exception: 3b6074b0

~~2010-09-01 14:46:03.259 3B340B90 info 'Vmomi' opID=ED424956-00000003~~ Activation : Invoke done on ~~vim.SessionManager:ha-sessionmgr~~

~~2010-09-01 14:46:03.259 3B340B90 verbose 'Vmomi' opID=ED424956-00000003~~ Arg base64Token:

~~-snip~~-

~~2010-09-01 14:46:03.260 3B340B90 verbose 'Vmomi' opID=ED424956-00000003~~ Arg locale:

"en_US"

~~2010-09-01 14:46:03.260 3B340B90 info 'Vmomi' opID=ED424956-00000003~~ Throw vmodl.fault.SystemError

~~2010-09-01 14:46:03.260 3B340B90 info 'Vmomi' opID=ED424956-00000003~~ Result:

(vmodl.fault.SystemError) {

dynamicType = <unset>,

faultCause = (vmodl.MethodFault) null,

{color:#ff0000}reason = "gss_acquire_cred failed",

msg = "",

}

Xtragravity · ‎03-15-2011

Here's how I fixed the log on with Windows Session Credentials issue.

SSH onto the ESXi host.

Change directory to /scratch/var/tmp

Delete the file host_0 (or move it to an alternative location if you want to play safe).

Using the vSphere client, log onto the ESXi host with the Use Windows Session Credentials option selected. It should work and host_0 gets recreated.

I must admit, I'm not sure what this file does or how it suddenly gets corrupted, but recreating is appears to fix the issue.

View solution in original post

TBKDan · ‎09-02-2010

Another thing I want to mention is that these same clients work fine with "Use Windows Session Credentials" with a vCenter server and a different ESXi 4.1 free server. It's only this box that gives me issues.

TBKDan · ‎09-03-2010

I just tried removing the machine from the domain and then re-adding it... same result.

TBKDan · ‎09-08-2010

Anybody...?

f10 · ‎09-08-2010

I have seen this error in the past if there is a time difference between the domain controller and the ESX host, could you confirm this ?

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

f10

VCP3,VCP4,HP UX CSA

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

TBKDan · ‎09-08-2010

The time is spot on and I have NTP set up to sync to the domain controllers for this domain. If it wasn't on, then I would probably have an issue with typed-in credentials as well - "Use windows session credentials" is the only time I have issues.

Chamon · ‎09-08-2010

If it works with DomainName\UserName it may be by design. Do you have multiple domains in this forest?

Sorry missed the part that it works on other hosts and with other users. Can you find anything that is either configured differently or about the users that are connecting?

TBKDan · ‎09-08-2010

No... it looks like it's exactly the same as the other host that I have that is working perfectly. The weird thing is that this did work before... it just stopped working out of nowhere. I'm tempted to try removing it from the domain and then deleting the krb5.keytab file and then rejoining... that's all I've been able to find about this particular error, even if it's not vmware specific.

Chamon · ‎09-08-2010

Is this host in VC? Or was it when you were able to connect without the DomainName? I only have one ESXi4.1 host in my lab right now. When I try to log in without the DomainName\User name I get a Unknown user name or bad password error. Do they have a preferred DC to connect to configured?

TBKDan · ‎09-08-2010

This is a standalone, free ESXi server that is configured exactly like another one that I have in my environment (which has no issues).

If, at the login prompt, I tick the "Use Windows Session Credentials" box and click login, I get the error mentioned above. This used to work fine, and still does work fine on another box in the domain.

If I manually type in DOMAIN\username and my password, it works fine.

Things I tried today:

Leaving the domain

Deleting the computer object out of AD

Copying over the /etc/likewise directory and /etc/krb5.conf/keytab files from a virgin install.

Move /tmp/krb5* to a different tmp folder.

Restart lwiod

Rejoin the domain

No effect... still has the stuipd gss_acquire_cred failed.... anything else I'm missing?

TBKDan · ‎09-15-2010

Bump... anybody?

bertus02 · ‎09-24-2010

TBKDan - I was wondering if you have found a fix to this issue. I have also followed the same troubleshooting steps you have taken...

-removed esxi 4.1 server from domain/rejoined

-made sure ntp was correct

-reviewed security logs on the domain controller

I can auth find if i manually enter in domain\username password fields but when i hit the checkbox for passthrough it fails with the same error.

We have 4 esxi 4.1 servers in virtual center and a standalone esxi 4.1 server.

The virtual center servers are fine it just the standalone.

TBKDan · ‎09-24-2010

No, I have not found a solution yet - we're in the midst of a building move so I haven't really had time to focus on this. A sad bit of info though - another box that was working just stopped working with this same exact error. Wasn't rebooted or anything... just stopped working one day. Would really like to get this fixed....

mkennetha · ‎11-12-2010

BUMP

I've got this too.

claraITS · ‎11-15-2010

I'he got this too. Can anyone help to solve this issue?

hpn99 · ‎11-16-2010

I have the same problem

since Friday.

I have two standalone ESXi

4.1 machines. On both the login with credentials has worked fine. Since last

Friday the login with credentials works only on one of the two. On the second I

get a gss_acquire_cred error when I try to login with "Use Windows session

credentials". Using explicit domain and user name works.

The only difference between

the two machines is that on the not working one the ESXi was installed new. The

installation on the working one was an upgrade installation. But both

installations were working fine the last month.

Does HHhanybody have an idea?

TBKDan · ‎12-10-2010

Given that it seems to work for a bit and then bombs out after a while, I wonder if it has something to do with computer accounts that are, through group policy, supposed to change their password after x (default 30) days...

mkennetha · ‎12-10-2010

Nope, that's not it - we don't have any of those restrictions.

This thing is REALLY annoying, though - I'm doing a fresh install on the weekend to (hopefully) fix it. Just love going to the office on Saturday instead of playing with my kids... hasn't aybody got a clue here??

bertus02 · ‎12-10-2010

I finally said screw it...

Vmotion->reinstall->add to vcenter problem fixed

Nigel3 · ‎12-15-2010

Getting the exact same issueon ESXi 4.1 here, one of my hosts wont alllow me to "Use Windows session credentials", using doamin/username & password manually works fine, is a reinstall of the host the only fix?

All

ESXi 4.1 gss_acquire_cred failed on login