We've had AD authentication working on our fleet of 40 ESX 301 servers since inception. We setup our auth via esxcfg-auth per standard guidelines
esxcfg-auth --enablead --addomain domain.com --addc dc.domain.com
Our security folks are seeing hundreds of event id 675 errors on the domain controllers related to the logons to our ESX boxes. We have monitoring tools that logon to each ESX box every few minutes thus the reason for the high numbers.
This is the error on the ESX side
sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=windowsADserver user=monitoringuser
Error on the windows side:
Pre-authentication failed: User Name: user User ID: domainuser Service Name: krbtgt/domain Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: clientIP
Here are the kerberos modules we have loaded:
Has anyone had to deal with these from the ESX side? I realize we can turn kerberos pre-authentication off in AD per user, but the security spooks don't like that.
I opened a minor ticket with VMware to parallel this thread.
Mother's don't let your children do production support for a living!