VMware Cloud Community
MichaelRyom
Hot Shot
Hot Shot
‎09-30-2021 01:31 AM
Jump to solution

Login with SSPI or Enhanced Authentication Plugin fails

Hi

Have multiple vCenters ( 6.7 & 7 ) that has issues with logging into them using Enhanced Authentication Plugin in a browser or using connect-viserver with PowerCli and here comes the twists.

1. The problem is on a new Windows 2019 server - The old Windows 2012R2 does not have any issues with this ( So it is not vCenter issue )

2. The primary vCenter (lets call it VC1 - vCenter 6.7 ) does not have this issues logging in (Without providing username/password), only all the others ( VC2 (6.7), VC3 (7.0), VC4 (7.0) )

 

Has any one seen this, seems like it is Windows related but why does VC1 work then?

 

Example Windows 2012R2:

Connect-VIServer $vc1 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI

Name                           Port  User
----                           ----  ----
xxx                            443   zzz


Connect-VIServer $vc2 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI

Name                           Port  User
----                           ----  ----
xxx                            443   zzz

 

Example from 2019:

Connect-VIServer $vc1 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/yyy'
VERBOSE: Connected successfully using SSPI

Name                           Port  User
----                           ----  ----
xxx                            443   zzz


Connect-VIServer $vc2 -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'xxx' to 'yyy'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'zzz'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/yyy'. Error code: 0x80090342
VERBOSE: Connect using SSPI was unsuccessful
Connect-VIServer : 9/30/2021 10:27:33 AM        Connect-VIServer                Could not determine user name and/or password for server xxx
At line:1 char:1
+ Connect-VIServer $vc2 -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException
    + FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

 

Blogging at https://MichaelRyom.dk
0 Kudos
1 Solution

Accepted Solutions
MichaelRyom
Hot Shot
Hot Shot
‎09-30-2021 05:36 AM
Jump to solution

Found the solution - RC4 encryption needs to be enabled in the local policy

MichaelRyom_0-1633003285453.jpeg

Another possible fix, that we need to have tested is to add the encryption types to the computer objects in Active Directory. As can be seen the yyy is VC1 which is working and xxx is one of the once not working ( before the above fix/workaround )

 

Get-ADComputer XXX -Properties KerberosEncryptionType

KerberosEncryptionType : {}

Get-ADComputer yyy -Properties KerberosEncryptionType

KerberosEncryptionType : {RC4, AES128, AES256}

 

 

 

Errors related to this is:

eRR-ETYPE-NOSUPP (14) - Wireshark

krb5kdc-err-etype-nosupp

MS KBs:
 
Blogging at https://MichaelRyom.dk

View solution in original post

0 Kudos
1 Reply
MichaelRyom
Hot Shot
Hot Shot
‎09-30-2021 05:36 AM
Jump to solution

Found the solution - RC4 encryption needs to be enabled in the local policy

MichaelRyom_0-1633003285453.jpeg

Another possible fix, that we need to have tested is to add the encryption types to the computer objects in Active Directory. As can be seen the yyy is VC1 which is working and xxx is one of the once not working ( before the above fix/workaround )

 

Get-ADComputer XXX -Properties KerberosEncryptionType

KerberosEncryptionType : {}

Get-ADComputer yyy -Properties KerberosEncryptionType

KerberosEncryptionType : {RC4, AES128, AES256}

 

 

 

Errors related to this is:

eRR-ETYPE-NOSUPP (14) - Wireshark

krb5kdc-err-etype-nosupp

MS KBs:
 
Blogging at https://MichaelRyom.dk
0 Kudos