VMware Cloud Community
Raudi
Expert
Expert
‎08-12-2022 02:01 AM

Can't use Windows session authentication after change from machine account to LDAPS

Hi,

i changed a customers VCSA 7.0.3.00500 from machine account to LDAPS, now we get this error when trying to use the Windows session authentication:

The specified target is unknown or unreachable

I found nothing regarding this error, what log-files should i search to find what goes wrong? Or what must i change to fix that error?

All other is working, login with only username, domain\username or username@domain.

Kind regards
Stefan

Reply
0 Kudos
3 Replies
Raudi
Expert
Expert
‎08-16-2022 05:54 AM

The same i have now in the PowerShell:

VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'vc' to 'vc.domain.intern'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'domain\user'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vc.domain.intern'. Error code: 0x80090303
VERBOSE: Connect using SSPI was unsuccessful

I found something with google, that the VCSA still needs to be a member of the AD, is that possible?

Perhaps i need to rejoin the VCSA to the AD but then still use the LDAPS for authentication and not the machine account?

Reply
0 Kudos
Raudi
Expert
Expert
‎08-16-2022 06:28 AM

o.k. i made some tests in my testing environment, there i have the same problem and i'm using LDAPS too.

I joined the VCSA to the domain, but this has no change, only join isn't enough.

After deleting the LDAPS identity source and created a Machine Account identity source, i was able to connect to the vCenter in the PowerShell without entering my credentials.

So with IWA the login with the AD session is working but not with LDAPS.

Will this work with LDAPS? Or is this a limitation in LDAPS?

Reply
0 Kudos
Raudi
Expert
Expert
‎08-16-2022 08:18 AM

Seems to be by design.

When using AD with LDAPS no session authentication is possible, that is the feedback from the support.

The prerequisites for session authentication is that the vCenter is "joined" to the AD.

Will be nice when such informations will be written more clear in the documentation or in several KB articles, for example here: Deprecation of Integrated Windows Authentication (78506) (vmware.com)

Reply