VMware Cloud Community
AdrianLake
Contributor
Contributor
‎03-21-2023 07:45 AM

'Idm client exception: Error trying to join AD, error code [2453]' when trying to connect to AD

Hi,

Our test vmware environment was upgraded from 7.3 to 8 and now AD SSO isn't working. After leaving the domain and then trying to reattach to AD via the gui I get the error 'Idm client exception: Error trying to join AD, error code [2453]'

It seems a possible fix to this is to use the cli, so I tried this method:

/opt/likewise/bin/domainjoin-cli join domain.com user password

And that returns a different error:

Error: LW_ERROR_KRB5KDC_ERR_POLICY [code 0x0000a30e]

KDC policy rejects request

I can't find much about this error, and its trying to connect to a 2016 functional level domain, with only 2022 servers in it - DNS etc resolves OK, but I'm not having much luck finding why the kerberos error appears?

 

3 Replies
Lalegre
Virtuoso
Virtuoso
‎03-21-2023 08:38 AM

@AdrianLake,

IWA is being deprecated in future releases: https://kb.vmware.com/s/article/78506

I encourage you to swap to Active Directory over LDAP is much more reliable and you face way less bugs.

0 Kudos
marauli
Enthusiast
Enthusiast
‎11-14-2023 04:19 PM

Have you been able to resolve it?

I am in the same boat with the newly deployed VCSA 8.02 and not having a lot of luck.

Granted, I initially set it up with an IP as couldn't get it to deploy as a FQDN - it would hang on Stage 2 at 0%. According to VMware (Join or Leave an Active Directory Domain), that's a no go:

  • Verify that the system name of the appliance is an FQDN. If, during the deployment of the appliance, you set an IP address as a system name, you cannot join vCenter Server to an Active Directory domain.
The system name is now an FQDN - yet getting this when trying to join the domain in vcenter administration UI ( https://vcenter.mydomain.com/ui/app/admin/sso-configuration/identity-provider )

 

 

Idm client exception: Error trying to join AD, error code [31], user [1st.last], domain [mydomain.com], orgUnit []

 

(The error code was [2453] before - not sure what changed.)
... and this when trying to do this in shell:

 

root@vcenter [ ~ ]# /opt/likewise/bin/domainjoin-cli join mydomain.com 1st.last
Joining to AD Domain:   mydomain.com
With Computer DNS Name: vcenter.mydomain.com

1st.last@MYDOMAIN.COM's password:

Error: ERROR_GEN_FAILURE [code 0x0000001f]

 

Can't yet find anything in the logs either.
0 Kudos
Ihopeyourgood
Contributor
Contributor
‎11-21-2023 11:31 PM

I got the excat the same errors, as you and i got it to work.

To fix it i did got to the vCenter Interface and change the Timesynchronisation to:

Modus= NTP

Timeserver= MyAD.home

That was it, because the localtime on the vSphere server was completly of. AD are very time senitive, i belive the time diffrence between should not be higher than 5 min from the AD to Server. Ore else you get these errors