VMware Cloud Community
abutte
Contributor
Contributor
‎11-05-2019 01:41 PM
Jump to solution

AD and vCenter 6.7 Invalid Credentials

Hello,

I've been working on setting up my first lab to study for VCP and having some trouble getting AD authentication to work within vcenter. This is a brand new AD server, Win server 2019 and domain functional level 2016 which is supported in 6.7u1 and after. I've successfully joined the VCSA to the domain, added the identity source, and am able to add users via global permissions from the AD server. When I attempt to login with AD credentials I get an Audit Success from the AD server, but over in VCSA it just says "Invalid Credentials". From what I can tell it's not a time skew issue because both systems receive time from pool.ntp.org. Any help would be appreciated, I've been beating my head against this issue for a week or two now, and pretty much exhausted what I can find online. I've tried multiple times to leave/join the domain via cli per the 6.5 AD issue, but that doesn't seem to help. I've dug around in the logs quite a bit, and these are the two entries that stand out to me.

/var/log/vmware/sso/websso.log

/var/log/audit/sso-events/audit_events.log 2019-11-05T18:45:17.724Z {"user":"administrator@butte.local","client":"192.168.1.25","timestamp":"11/05/2019 18:45:17 UTC","description":"User administrator@butte.local@192.168.1.25 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

Some Images of VCSA

AD Users in global permissions

Reply
0 Kudos
1 Solution

Accepted Solutions
abutte
Contributor
Contributor
‎11-11-2019 05:41 PM
Jump to solution

So, I found that the FQDN (optional) field is required for AD to work. You cannot use the default Photon-Machine hostname for AD to work. So, during VCSA initial setup, first go in and create a DNS record for the machine, and then give it a FQDN.

View solution in original post

Reply
0 Kudos
4 Replies
birend1988
Hot Shot
Hot Shot
‎11-05-2019 06:49 PM
Jump to solution

pls share idmd-sts log this will be utility folder and also share the webssso  log.

VCIX, NCAP
Reply
0 Kudos
NathanosBlightc
Commander
Commander
‎11-10-2019 12:35 PM
Jump to solution

First of all, give the required permission to the VCSA system account (system object) on AD or add it to the Domain Admin group, then test it again. So if the problem still exist, disjoin the server and add the AD with LDAP connection procedure ...

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
0 Kudos
abutte
Contributor
Contributor
‎11-11-2019 05:41 PM
Jump to solution

So, I found that the FQDN (optional) field is required for AD to work. You cannot use the default Photon-Machine hostname for AD to work. So, during VCSA initial setup, first go in and create a DNS record for the machine, and then give it a FQDN.

Reply
0 Kudos
Tina07
VMware Employee
VMware Employee
‎01-27-2020 03:19 AM
Jump to solution

This is a known issue. To workaround this issue see failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure.

Reply
0 Kudos