VMware Cloud Community
JzTech
Enthusiast
Enthusiast
‎08-30-2017 11:40 PM

Failing to logon to vCenter VCSA using integrated authentication.

Good day

I have an issue where I am unable to connect to any of my newly deployed VCSAs (4 appliances - 2 are version 6.5 and 2 are version 6.5U1)...

Connect-VIServer vcsa01.domain.corp -verbose

prompts for credentials even though PowerCLI is launched with valid credentials. If I supply the same credentials as I am using to execute powershell, all is 100%.

Verbose output:

VERBOSE: Attempting to connect using SSPI

VERBOSE: Reversely resolved 'vcsa01.domain.corp' to 'vcsa01.domain.corp'

VERBOSE: SSPI Kerberos: Acquired credentials for user 'IB\Username'

VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vcsa01.domain.corp'. Error code: 0x80090303

VERBOSE: Connect using SSPI was unsuccessful

I have applied a change to /etc/nsswitch.conf "passwd: files ato lsass" which did not help. domain.corp is the default domain and I have tried launching Powershell with the IB\Username or the Username@domain.corp and neither resolve the issue.

Please let me know if a dump of the vpxd.log will help. It is a very chatty log so its proving to be very difficult to get a slice of the log when only this logon is being attempted.

Any help would be highly appreciated. Thank you very much.

0 Kudos
4 Replies
BenLiebowitz
Expert
Expert
‎08-31-2017 07:04 AM

Are you able to login with cached credentials via the web client? 

Have you made your AD the default domain in the PSC? 

I had a similar issue where I couldn't logged in with cached credentials via the web client, thick client (vSphere 6.0), nor PowerCLI.  When we contacted support, they had us reboot our external PSC and then the VCSA.  After everything was back online, I was able to login with cached credentials. 

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.
0 Kudos
JzTech
Enthusiast
Enthusiast
‎08-31-2017 09:53 PM

Greetings

Thank you very the reply.

Yes, indeed the default domain is our AD. It works perfectly in the Web UI logon process. Its just a problem in PowerCLI.

Thank you very much!

0 Kudos
BenLiebowitz
Expert
Expert
‎09-01-2017 08:04 AM

No problem!  If you could, I'd appreciate it if you would mark the post as helpful or answered to award points. 

Thanks!

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.
0 Kudos
RAJ_RAJ
Expert
Expert
‎09-01-2017 09:48 AM

Hi ,

windows login account should have access to vcenter .

power cli restricted access should  be enabled

Ad account should be part of local admin group and trying machine should be in domain .

RAJESH RADHAKRISHNAN VCA -DCV/WM/Cloud,VCP 5 - DCV/DT/CLOUD, ,VCP6-DCV, EMCISA,EMCSA,MCTS,MCPS,BCFA https://ae.linkedin.com/in/rajesh-radhakrishnan-76269335 Mark my post as "helpful" or "correct" if I've helped resolve or answered your query!
0 Kudos