VMware Cloud Community
JaredKeyes
Contributor
Contributor

Cannot login to vCenter 6.7u2 with Domain Credentials

Hello,

I recently added my vCenter to my Active Directory Domain and set the Domain to be the default identity source. I logged out of the Local Admin User, downloaded the Advanced Authentication Plug-In or whatever it's called and selected Use Windows Session Authentication and clicked login and it worked! However, when I try to manually type in my domain credentials it always tells me "INVALID CREDENTIALS". I've tried Domain\DomainName, DomainName@Domain.Com, just my DomainName, I've even gone to my DC and reset my password to make sure I was using the correct password. Can anyone point me in the direction of where I should start looking to see what this issue is?

Thanks,

Jared Keyes

Reply
0 Kudos
22 Replies
Gidrakos
Hot Shot
Hot Shot

Hey Jared,

I ran into the same thing with mine originally. Did you upgrade/convert an older vCenter to 6.7u2, or is this a fresh install?

Regardless, I found it better to use the command-line tools located in /opt/likewise/bin to get a better readout for how vCenter was connected to AD. My issue was that I had converted from a previous vCenter and the computer account associated in AD needed to be completely removed and re-added.

Also, check your websso.log and ssoAdminServer.log files in /var/log/vmware/sso to see what errors are popping up.

Reply
0 Kudos
RajeevVCP4
Expert
Expert

leave the domain (PSC) and reboot

then add back reboot

it will work

Rajeev Chauhan
VCIX-DCV6.5/VSAN/VXRAIL
Please mark help full or correct if my answer is use full for you
Reply
0 Kudos
JaredKeyes
Contributor
Contributor

UPDATE: Turns out I just need to delete the computer that was already in active directory to get it to connect again. Sorry, I'm still learning my way around vCenter. It's connected again, but the original problem still persists. Disconnecting and reconnecting did not fix the issue.

Oof,

I tried RajeevVCP4's solution first. After removing my vCenter from the domain and restarting it it can no longer find the domain.

The cli give me the error message "Error: NERR_DCNotFound [code 0x00000995]" and the web client gives me the error "ldm client exception: Error trying to join AD, error code [2453], user [DomainName], domain [domain.com] orgUnit[]"

Now, I've made sure I've opened ports 123, 135, 137, 139, 3268, 389, 445, 464, 88 using both tcp and udp as per this guide (https://www.altaro.com/vmware/how-to-join-esxi-to-active-directory-for-improved-management-and-secur... ) , I've created a host record and a ptr record in my DNS using the ip address of the vCenter, I've configured my vCenter to use my DC as an NTP service so their times are synced, but according to my firewall logs the vCenter server makes one query to my DC using port 53 which I've read is the DNS port and then fails.

I'll continue to search those logs that Gidrakos mentioned, and if it matters the answer to their first question is that this was an upgrade from an older version of vCenter (5.5 I believe), but was rebuilt a few months ago because it wasn't working correctly. Any other ideas welcomed and appreciated.

Jared Keyes

Reply
0 Kudos
JaredKeyes
Contributor
Contributor

FURTHER UPDATE:

After digging through the logs I found this error code "Native platform error [code: 851968]". After a quick bit of googling I found a solution on an older post here on the community forum which was to.....leave the domain, delete the computer account on Active Directory, and rejoin the domain... pretty much exactly what was suggested earlier (After upgrade to 6.5 update 1 broken AD authentication). After trying this twice I'm still having the same error.

Thoughts?

Jared Keyes

Reply
0 Kudos
johncol
VMware Employee
VMware Employee

odd one , Check your host file in /etc, are you joining with the gui or the cli - what is the output of /opt/likewise/bin/domainjoin-cli query

As mentioned before, the action plan should work

Clean up AD

Leave Domain /opt/likewise/bin/domainjoin-cli leave

Reboot

/opt/likewise/bin/domainjoin-cli join

Reply
0 Kudos
Gidrakos
Hot Shot
Hot Shot

As I suggested in my original reply, and like johncol said, use the CLI to leave, delete computer object in AD, then use CLi to re-join and you should be good. That's what I ended up having to do.

Glad you found something useful in the logs!

Reply
0 Kudos
D3m4dm
Contributor
Contributor

Wrong Post. Excuse me

Reply
0 Kudos
IRIX201110141
Champion
Champion

Just guessting....

- The error message indicated that you try to add something which is already there

- It looks like youre trying to add somehing to local group. Why?

What happends if you just grand permission to a user (maybe one you have never touch before, just for testing) and add him with a ROLE to vCenter?

I have the feeling youre messing around with localos and vsphere.local which i also used but never to try something to add from the outside.

Regards,

Joerg

Reply
0 Kudos
Gidrakos
Hot Shot
Hot Shot

I ran into the same thing in the web interface and couldn't get around it.

Try using the CLI for managing groups as well. Everything you need (domain join, group management, etc) can be found in /usr/lib/vmware-vmafd/bin

Those give you much more direct control without the overhead of HTML5 (and better logging).

Reply
0 Kudos
D3m4dm
Contributor
Contributor

Wrong Post. Excuse me

Reply
0 Kudos
JaredKeyes
Contributor
Contributor

Hey D3m4dm,

I think you may have clicked on the wrong topic. I don't think our problems are related and I don't want people getting confused as to what troubleshooting steps have or have not been performed.

As for my original problem, I do use the cli for most things as I don't like the web client all that much.

When I run: /opt/likewise/bin/domainjoin-cli query It returns:

Name = photon-machine

Domain = CORP.DOMAIN.COM

Distinguished Name = CN=PHOTON-MACHINE,OU=Servers,OU=HQ,OU=Locations,DC=Corp,DC=Domain,DC=com

(My domain is not actually called domain.com, I'm just erasing the actual name and replace it for privacy reasons)

All that looks correct to me though.

I will try to clean up AD and the remove and re-add it. Hopefully that helps.

Reply
0 Kudos
D3m4dm
Contributor
Contributor

Yes thats right I'am in the wrong post. Excuse me so much

Reply
0 Kudos
JaredKeyes
Contributor
Contributor

Alright, so, I'm pretty new to the organization, so if cleaning up AD is all that's necessary it's going to take me a little while to deep dive into it and figure out what everything is and what we don't need. In the mean time I have to questions, one related and one only semi-related.

I was reading through some VMware KBs (specifically this one: Unable to Log In Using Active Directory Domain Authentication ). I ran the commands they suggested, I'm not a VMware expert, but all of the output LOOKED correct. Step 3 is to leave the domain and rejoin the domain, which we have established isn't the solution for me, at least, not yet. Step 4 says to restart all the services. The command they give (/bin/service-control --restart --all) isn't a valid one, but I was wondering if there was a valid command to cycle the services or if people had recommendations for which services I should try restarting.

The other question I have is: We have a disabled users folder in our AD. The HTML 5 Web Client can only display 200 users for some reason and currently it is 75% full with disabled users or users from our contractor folder who have no reason to access our vCenter. Is there a way to make vCenter ignore certain folders in AD?

Thanks,

Jared Keyes

Reply
0 Kudos
Gidrakos
Hot Shot
Hot Shot

"/bin/service-control --restart --all isn't a valid one" - Not sure why since it's working perfectly for me.

From the looks of things, "service-control" lives in both /usr/bin/ and /bin/ as separate, but identical files. "which service-control" tells me /usr/bin is the default mapped one. service-control -? gives you some basic usage instructions. I can successfully use either one to list my services and get their information, including using the --all flag.

As for the AD issue - would it be possible to simply move the old users to another OU? You can use a PowerShell script to quickly search for users who haven't used their accounts, have expired passwords, etc, and move them to a proper location so vSphere doesn't see them anymore.

I am not aware of a way to tell vSphere to ignore users in an AD OU.

Reply
0 Kudos
JaredKeyes
Contributor
Contributor

Hey Gidrakos,

That's really weird. When I try that command I get a message that says "Service-control failed. Error: Restart option takes exactly one service name as argument" Maybe I should try updating my vCenter?

In regards to the AD issue, all of my disabled accounts are in a disabled account OU, but when I joined my vCenter to the domain I didn't tell it to point to a specific OU such as the users OU so I'm assuming it's pulling all the users from the every OU. Is it best practice to point vCenter to a specific OU?

Thanks,

Jared Keyes

Reply
0 Kudos
Gidrakos
Hot Shot
Hot Shot

Ah - It's mad about you giving it the --all flag. You need to restart them one at a time from the looks of it, or whip up a script to do it for you as a batch. Sorry, I don't have a server available that I'm willing to try restarting ALL services on, so I couldn't debug that with you.

Yes, if you simply add an Identity Source as an "AD (Integrated Windows Auth)" it doesn't allow you to specify an OU and, therefore, pulls everything it can find.

I believe best practices is to use integrated auth when applicable, but I can't find the documentation on it. That being said, it's just as secure to specify the LDAP server/connection manually and use a specified certificate.

Reply
0 Kudos
Gidrakos
Hot Shot
Hot Shot

It won't let me edit my previous post but, to add to that:

You could always make an AD group to place users in and only add that group to the list of those who have privileges. That would mean those users, like vendors, who somehow wander onto your vSphere can login, but they won't see a thing.

Reply
0 Kudos
JaredKeyes
Contributor
Contributor

Quick Update:

I've been working on getting my AD cleaned up like suggested. However, in the meantime I decided that I would just have people log on using the "Use Windows Session" checkbox, however it doesn't work for them! The keep being told that they have no permission to anything on the vCenter even though I've added them to my server admin group in AD. I then decided to remove my account from any admin group on vCenter including the one on my active directory and see if my account gets the same error, however I did not. So now I'm thinking that my AD is not actually replicating to my vCenter. Anybody else have that issue before?

Thanks,

Jared Keyes

Reply
0 Kudos
Pyrotechnik
Contributor
Contributor

Hello

Did You find any solution for this problem. I have exactly the same issue.

Regards

Rafal

Reply
0 Kudos