Hi
Have multiple vCenters ( 6.7 & 7 ) that has issues with logging into them using Enhanced Authentication Plugin in a browser or using connect-viserver with PowerCli and here comes the twists.
1. The problem is on a new Windows 2019 server - The old Windows 2012R2 does not have any issues with this ( So it is not vCenter issue )
2. The primary vCenter (lets call it VC1 - vCenter 6.7 ) does not have this issues logging in (Without providing username/password), only all the others ( VC2 (6.7), VC3 (7.0), VC4 (7.0) )
Has any one seen this, seems like it is Windows related but why does VC1 work then?
Example Windows 2012R2:
Connect-VIServer $vc1 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI
Name Port User
---- ---- ----
xxx 443 zzz
Connect-VIServer $vc2 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI
Name Port User
---- ---- ----
xxx 443 zzz
Example from 2019:
Connect-VIServer $vc1 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI
Name Port User
---- ---- ----
xxx 443 zzz
Connect-VIServer $vc2 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/yyy'. Error code: 0x80090342
VERBOSE: Connect using SSPI was unsuccessful
Connect-VIServer : 9/30/2021 10:27:33 AM Connect-VIServer Could not determine user name and/or password for server xxx
At line:1 char:1
+ Connect-VIServer $vc2 -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException
+ FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
Found the solution - RC4 encryption needs to be enabled in the local policy
Another possible fix, that we need to have tested is to add the encryption types to the computer objects in Active Directory. As can be seen the yyy is VC1 which is working and xxx is one of the once not working ( before the above fix/workaround )
Get-ADComputer XXX -Properties KerberosEncryptionType
KerberosEncryptionType : {}
Get-ADComputer yyy -Properties KerberosEncryptionType
KerberosEncryptionType : {RC4, AES128, AES256}
Errors related to this is:
eRR-ETYPE-NOSUPP (14) - Wireshark
krb5kdc-err-etype-nosupp
Found the solution - RC4 encryption needs to be enabled in the local policy
Another possible fix, that we need to have tested is to add the encryption types to the computer objects in Active Directory. As can be seen the yyy is VC1 which is working and xxx is one of the once not working ( before the above fix/workaround )
Get-ADComputer XXX -Properties KerberosEncryptionType
KerberosEncryptionType : {}
Get-ADComputer yyy -Properties KerberosEncryptionType
KerberosEncryptionType : {RC4, AES128, AES256}
Errors related to this is:
eRR-ETYPE-NOSUPP (14) - Wireshark
krb5kdc-err-etype-nosupp