Good day
I have an issue where I am unable to connect to any of my newly deployed VCSAs (4 appliances - 2 are version 6.5 and 2 are version 6.5U1)...
Connect-VIServer vcsa01.domain.corp -verbose
prompts for credentials even though PowerCLI is launched with valid credentials. If I supply the same credentials as I am using to execute powershell, all is 100%.
Verbose output:
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'vcsa01.domain.corp' to 'vcsa01.domain.corp'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'IB\Username'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vcsa01.domain.corp'. Error code: 0x80090303
VERBOSE: Connect using SSPI was unsuccessful
I have applied a change to /etc/nsswitch.conf "passwd: files ato lsass" which did not help. domain.corp is the default domain and I have tried launching Powershell with the IB\Username or the Username@domain.corp and neither resolve the issue.
Please let me know if a dump of the vpxd.log will help. It is a very chatty log so its proving to be very difficult to get a slice of the log when only this logon is being attempted.
Any help would be highly appreciated. Thank you very much.
Are you able to login with cached credentials via the web client?
Have you made your AD the default domain in the PSC?
I had a similar issue where I couldn't logged in with cached credentials via the web client, thick client (vSphere 6.0), nor PowerCLI. When we contacted support, they had us reboot our external PSC and then the VCSA. After everything was back online, I was able to login with cached credentials.
Greetings
Thank you very the reply.
Yes, indeed the default domain is our AD. It works perfectly in the Web UI logon process. Its just a problem in PowerCLI.
Thank you very much!
No problem! If you could, I'd appreciate it if you would mark the post as helpful or answered to award points.
Thanks!
Hi ,
windows login account should have access to vcenter .
power cli restricted access should be enabled
Ad account should be part of local admin group and trying machine should be in domain .