Solved: ESXi 5.5 and Active Directory problems

unsichtbare · ‎10-15-2013

Something has clearly changed in the default Active Directory behavior for ESXi 5.5

I can successfully join a fresh-installed from ISO standalone ESXi 5.5 (1331820) to my domain using the vSphere Client. Time is correct on the host and Domain controller, so it is not that. I also see the default group esx^admins which has automatically been configured as Administrator in the host permissions tab (because that group is configured in AD since about 2009).

Unfortunately, logging in to ESXi with the vSphere client "Use Windows session credentials" is spotty at best - it seems to have worked one or two times - and logging in to the shell or via SSH using windows credentials (we tried account@mydomain.com and mydomain\account) does not work at all.

We thought we were crazy, so we went back and installed 5.1 all over again - and it worked fine. We compared the: /etc/hosts and /etc/krb5.conf files on both machines and could not find any differences!

Does anyone have an idea?

THX

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

unsichtbare · ‎10-16-2013

Simple solution:

Either reboot the host or run: /usr/sbin/services.sh restart

This has not been necessary since directory-based authentication has been supported in the GUI, but it is now. After a restart AD works like it should.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

View solution in original post

TheITHollow · ‎10-15-2013

any chance you're running Server 2012 for vCenter and AD?

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=206090...

http://www.theithollow.com

unsichtbare · ‎10-15-2013

Using W2K8 for AD and have not stood up vCenter yet.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

unsichtbare · ‎10-15-2013

Update:

The original install was the HP VIB - we now tried using the VMware-stock image: VMware-VMvisor-Installer-5.5.0-1331820.x86_64

After joining the domain and verifying that the permissions exist, no login is possible with the vSphere client or shell/ssh using AD credentials. root, as expected, works fine.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

unsichtbare · ‎10-16-2013

Simple solution:

Either reboot the host or run: /usr/sbin/services.sh restart

This has not been necessary since directory-based authentication has been supported in the GUI, but it is now. After a restart AD works like it should.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

huffz · ‎10-17-2013

Hello,

I'm having the exact same problem, ESXi 5.5 won't let me login with domain credentials:

"Cannot complete login due to an incorrect user name or password"

works on all other ESXi hosts < 5.5

Running services.sh restart as mentioned by unsichtbare doesn't work here, still same error.

Here's the log from hostd.log:

2013-10-17T13:18:15.288Z [39640B70 verbose 'Default' opID=C3439D6B-00000003] AdapterServer: target='vim.SessionManager:ha-sessionmgr', method='loginBySSPI'

2013-10-17T13:18:15.294Z [39681B70 verbose 'GSSAPI' opID=C3439D6B-00000003] Service name: (host/esxihost.ourdomain.zz@OURDOMAIN.ZZ)

2013-10-17T13:18:15.295Z [39681B70 error 'GSSAPI' opID=C3439D6B-00000003] gss_accept_sec_context failed: (0x000d0000, 0x96c73a1f)

2013-10-17T13:18:15.296Z [39681B70 error 'GSSAPI' opID=C3439D6B-00000003] Supported mechanisms: ({ 1 2 840 113554 1 2 2 } , { 1 3 5 1 5 2 } , { 1 2 840 48018 1 2 2 } , { 1 3 6 1 5 5 2 } )

2013-10-17T13:18:15.296Z [39681B70 info 'Default' opID=C3439D6B-00000003] AdapterServer caught exception: vim.fault.InvalidLogin

2013-10-17T13:18:15.296Z [39681B70 info 'Solo.Vmomi' opID=C3439D6B-00000003] Activation [N5Vmomi10ActivationE:0x39749d38] : Invoke done [loginBySSPI] on [vim.SessionManager:ha-sessionmgr]

2013-10-17T13:18:15.296Z [39681B70 verbose 'Solo.Vmomi' opID=C3439D6B-00000003] Arg base64Token:

--> "[...]"

2013-10-17T13:18:15.296Z [39681B70 verbose 'Solo.Vmomi' opID=C3439D6B-00000003] Arg locale:

--> "en_US"

2013-10-17T13:18:15.296Z [39681B70 info 'Solo.Vmomi' opID=C3439D6B-00000003] Throw vim.fault.InvalidLogin

2013-10-17T13:18:15.296Z [39681B70 info 'Solo.Vmomi' opID=C3439D6B-00000003] Result:

--> (vim.fault.InvalidLogin) {

--> dynamicType = <unset>,

--> faultCause = (vmodl.MethodFault) null,

--> msg = "",

--> }

Any idea how I can solve this?

unsichtbare · ‎10-17-2013

In this case, I think you may need to go to the permissions tab of your ESXi host and add your user/group as administrator.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

huffz · ‎10-18-2013

unsichtbare wrote:

In this case, I think you may need to go to the permissions tab of your ESXi host and add your user/group as administrator.

Thanks, acutally that did it!

To be exactly: The DOMAIN\esx^admins group was already listed on the permissions tab before (when it didn't work)

I just added the same group again with default "read only" permissions, then changed it back to the Administrator Role.

After that it worked!

Quite strange though.

As far as I can think there was never any manual adjustments needed.

Gortee · ‎01-30-2014

Morning,

You may also be running into this issue:

http://blog.jgriffiths.org/?p=677

Joseph Griffiths http://blog.jgriffiths.org @Gortees VCDX-DCV #143

vm7user · ‎09-16-2014

I also regularly have this issue on vSphere 5.5 U1/U2 hosts.

Only run "/usr/sbin/services.sh restart" helps me...

When VMWARE will fix this bug?

All

ESXi 5.5 and Active Directory problems