Unable to log into ESXi host with Active Directory Credentials “Invalid user name or credentials”

Recently I had a couple of customers experience the same issue where they were unable to log into an ESXi host using AD credentials. Either the SSH session terminated unexpectedly after entering the password or the error received was “Invalid user name or credentials.”

We noticed that the “Trusted Domain Controllers” were not populating correctly, or were blank.

trusted

After enabling likewise logging on the hypervisor following KB 1026554 we were able to see the following log messages:
 

netlogond.log

DEBUG:0x60140b70: Error code: 40121 (symbol: LW_ERROR_DOMAIN_IS_OFFLINE)
0xff942b70:DEBUG:[LWNetGetPreferredDcList()] Error at /build/mts/release/bora-2286303/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:201 [code: 2453]
0xffdb6b90:ERROR:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-1474033/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.EDIS._sites.dc._msdcs.parent.vcloud.local' failed with errno 0, h_errno = 1

 

lsassd.log

ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:1308] Do not know about domain 'PARENT.VCLOUD.LOCAL' ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) ()

 

We finally determined that the netlogond service could not contact the domain through a chosen domain controller. The likewise service will use CLDAP pings to choose the best domain controller to be contacted by the ESXi host to obtain Active Directory user and group information. If the chosen domain controller is unable to contact a domain containing a group in which the user is a part of, you will encounter the symptoms listed above.

In our case, the customer was part of a group in a different domain, and when likewise tried to get the group membership from the user, it failed.

To resolve this issue, you can specify one or more Active Directory Preferred Domain Controllers in Advanced Settings. You can either specify this using the FQDN or the IP, whatever your preference is, it does not make a difference.

Uservars

 

After setting your preferred domain controller(s), you should be able to rejoin the ESXi host to active directory and see all of your “Trusted Domain Controllers” populated In Authentication Services. VMware is still investigating this issue at this time, but this workaround should sufficiently allow you to authenticate with domain credentials to an ESXi host if you were experiencing these symptoms.
 

Posted by:

Sean Whitney

5 Comments

  1. graham McGuinness -  February 22, 2015 - 10:14 pm 14

    Great article, could you clarify how you declare the AD preferred DC?
    Do you use FQDN or IP address? Does it matter?
    thanks
    Graham

    Reply
    • Sean Whitney -  February 23, 2015 - 12:52 am 15

      Hi Graham,

      Great question, you can actually do either it doesn’t matter. I’ll add that to my article, thank you for the feedback!

      Thanks,
      Sean

      Reply
  2. Newsletter: March 28, 2015 | Notes from MWhite -  March 28, 2015 - 4:08 pm 67

    […] error in my labs, but I have seen it elsewhere and I was not sure how to fix it!  But the info is here so if you see Error 1009 when working in the Web Client you can solve the issue without a call to […]

    Reply
  3. Vince -  March 31, 2016 - 9:32 am 447

    Great article! Only one of it’s kind, that I could find over two day, except for the VMware docs that doesn’t specify multiple enteries allowed. However, both have left a question. How to separate DCs in Preferred Domain Controllers…? Is it space separated or comma separated or other?

    Thanks Vince

    Reply
  4. seanlv -  February 20, 2017 - 6:10 am 559

    How to add more than one preferred DC?

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top