VMware Cloud Community
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Can't logon to ESXi 6.7 using Active Directory credentials

I have eight ESXi hosts running 6.7.0 Build 11675023.  All hosts are being managed by a vCenter server.  My vCenter server is joined to my Active Directory (AD) domain.  All eight hosts are joined to the AD.  The hosts are listed correctly in my AD Computers Organizational Unit (OU).  No problems there.  I can login to my vCenter server using my AD credentials.  I CANNOT however login to my ESXi hosts using my AD credentials.  I receive the notification "Cannot complete login due to an incorrect username or password".  Here are the items I have checked and verified:

1. The configured ESXi Hostname and Domain Name Service (DNS) server correctly match the joined computer in AD and the DNS server running on my Domain Controller.

2. ESXi Config.HostAgent.plugins.hostsvc.esxAdminsGroup is correctly set to my AD group that contains my admin account.  The AD group is SA Admin Accounts

3. lwsmd and the associated dependency services are running on the ESXi host.

4. The ESXi firewall is configured to allow Active Directory All Incoming TCP port 2020 and Outgoing TCP ports 88,139,389,445,454,3268,7475 UDP ports 88,123,137,389,464.  The allowed IP addresses on the firewall are set to All

5. The ESXi Active Directory Service is Running.

6. Lockdown mode is disabled on all ESXi hosts.

I don't know what else to check.  Everything appears to be in order but I can't login to the ESXi hosts using the web client (version 6.7.0 obviously) with my AD credentials.  The ESXi hosts have had additional security checks configured in Advanced System Settings, but I've checked everything that appears to be associated with AD authentication.  What am I missing?

Reply
0 Kudos
1 Solution

Accepted Solutions
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Thanks for the suggestion.  I was able to verify that I did have my Domain\SA Admin Accounts set on the ESXi hosts themselves.  Since I am running ESXi version 6.7.0 I had to find the Host Permissions location by right-clicking on Host in the web-interface and selecting Permissions there.  Yes the Domain\Group or User accounts do need to be applied in this location.

I however determined the cause of my specific issue.  The Host Names of my ESXi hosts were too long.  They were more than 15 characters long and so once joined to my Windows Server 2016 domain, the domain automatically gave them a Pre-Windows 2000 name of less than 15 characters.  It appears that ESXi follows the Pre-Windows 2000 rules when it comes to Host Names on a Windows domain.  So my ESXi Host Names technically didn't match their domain names and thus I was not able to authenticate a domain account with the ESXi host.  After shortening my ESXi Host Names to less than 15 characters, re-joining them to the domain, and once again verifying all information found in my OP along with verifying my Domain\Group Account was added to the ESXi host permissions itself, I am able to authenticate to the ESXi hosts with my domain credentials.

View solution in original post

6 Replies
Deso1ator
Enthusiast
Enthusiast
Jump to solution

I have you tried logging in with domain\user or just user? Did you restart the hosts after adding them to the domain? Try adding your AD account to the top level permissions of the host to see if that works.

Reply
0 Kudos
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

I have tried logging in with both domain\user and just user.  Neither work.  Yes I restarted the hosts multiple times after joining them to the domain.  I have also added my domain group SA Admin Accounts to the ESXi host Permissions tab in vCenter.  But as I understand it, these permissions are only for viewing/managing the devices in vCenter.  There is nowhere to add domain accounts on the ESXi host interface itself that I know of. 

Reply
0 Kudos
Deso1ator
Enthusiast
Enthusiast
Jump to solution

You need to set permissions on the host itself (not in vCenter). Log into the host directly with the root login. Then set the permissions there. I think this should do it for you.

Check out the video on section - Granting permissions on vSphere objects.

https://www.altaro.com/vmware/how-to-join-esxi-to-active-directory-for-improved-management-and-secur...

Reply
0 Kudos
jrhaakenson
Enthusiast
Enthusiast
Jump to solution

Thanks for the suggestion.  I was able to verify that I did have my Domain\SA Admin Accounts set on the ESXi hosts themselves.  Since I am running ESXi version 6.7.0 I had to find the Host Permissions location by right-clicking on Host in the web-interface and selecting Permissions there.  Yes the Domain\Group or User accounts do need to be applied in this location.

I however determined the cause of my specific issue.  The Host Names of my ESXi hosts were too long.  They were more than 15 characters long and so once joined to my Windows Server 2016 domain, the domain automatically gave them a Pre-Windows 2000 name of less than 15 characters.  It appears that ESXi follows the Pre-Windows 2000 rules when it comes to Host Names on a Windows domain.  So my ESXi Host Names technically didn't match their domain names and thus I was not able to authenticate a domain account with the ESXi host.  After shortening my ESXi Host Names to less than 15 characters, re-joining them to the domain, and once again verifying all information found in my OP along with verifying my Domain\Group Account was added to the ESXi host permissions itself, I am able to authenticate to the ESXi hosts with my domain credentials.

Deso1ator
Enthusiast
Enthusiast
Jump to solution

Good find! I will have to remember that one.

Reply
0 Kudos
Mattneed
Contributor
Contributor
Jump to solution

thank you for this 🙂 

Tags (1)
Reply
0 Kudos