Hi,
Our test vmware environment was upgraded from 7.3 to 8 and now AD SSO isn't working. After leaving the domain and then trying to reattach to AD via the gui I get the error 'Idm client exception: Error trying to join AD, error code [2453]'
It seems a possible fix to this is to use the cli, so I tried this method:
/opt/likewise/bin/domainjoin-cli join domain.com user password
And that returns a different error:
Error: LW_ERROR_KRB5KDC_ERR_POLICY [code 0x0000a30e]
KDC policy rejects request
I can't find much about this error, and its trying to connect to a 2016 functional level domain, with only 2022 servers in it - DNS etc resolves OK, but I'm not having much luck finding why the kerberos error appears?
IWA is being deprecated in future releases: https://kb.vmware.com/s/article/78506
I encourage you to swap to Active Directory over LDAP is much more reliable and you face way less bugs.
Have you been able to resolve it?
I am in the same boat with the newly deployed VCSA 8.02 and not having a lot of luck.
Granted, I initially set it up with an IP as couldn't get it to deploy as a FQDN - it would hang on Stage 2 at 0%. According to VMware (Join or Leave an Active Directory Domain), that's a no go:
Idm client exception: Error trying to join AD, error code [31], user [1st.last], domain [mydomain.com], orgUnit []
root@vcenter [ ~ ]# /opt/likewise/bin/domainjoin-cli join mydomain.com 1st.last
Joining to AD Domain: mydomain.com
With Computer DNS Name: vcenter.mydomain.com
1st.last@MYDOMAIN.COM's password:
Error: ERROR_GEN_FAILURE [code 0x0000001f]
I got the excat the same errors, as you and i got it to work.
To fix it i did got to the vCenter Interface and change the Timesynchronisation to:
Modus= NTP
Timeserver= MyAD.home
That was it, because the localtime on the vSphere server was completly of. AD are very time senitive, i belive the time diffrence between should not be higher than 5 min from the AD to Server. Ore else you get these errors