Logging in to VMware ESXi using domain credentials fails with the error: Invalid user name or credentials
Article ID: 337908
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- After adding a host to Active Directory, you are unable to log in using Active Directory credentials
- When logging in, you see the error:
Invalid user name or credentials - When logging in to the host through SSH, the session terminates after entering your password
- You do not see all domains populated under Configuration > Authenticated Services > Trusted Domain Controllers within a VMware vSphere Client session connected directly to the host
- The user you are attempting to authenticate is a member of groups located across multiple domains
- In the /var/log/netlogond.log file of the host, you see errors similar to:
<MM-DD-YYYY> <time>:DEBUG:0x60140b70: Error code: 40121 (symbol: LW_ERROR_DOMAIN_IS_OFFLINE)
<MM-DD-YYYY> <time>:0xff942b70:DEBUG:[LWNetGetPreferredDcList()] Error at /build/mts/release/bora-2286303/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:201 [code: 2453]
<DATE> <time>:0xffdb6b90:ERROR:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-1474033/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.EDIS._sites.dc._msdcs.domain.com' failed with errno 0, h_errno = 1</time></time></time> - In the /var/log/lsassd.log file of the host, you see errors similar to:ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:1308] Do not know about domain 'domain.com' ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) ()
Environment
VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.5
Cause
This issue occurs due to the netlogond service not being able to contact the domain through a chosen domain controller. The likewise service uses CLDAP pings to choose the best domain controller to be contacted by the ESXi host to obtain Active Directory user and group information. If the chosen domain controller is unable to contact a domain containing a group in which the user is a part of, you will receive the preceding symptoms
Resolution
This is a known issue affecting ESXi 5.x.
Currently, there is no resolution.
To workaround this issue, you can specify a preferred domain controller that is able to contact the domains that contain the groups the user you are authenticating with is a member of.
To specify a preferred domain controller:
- Connect directly to the host using the vSphere Client.
- Select ESX Server > Configuration > Advanced Settings > UserVars.ActiveDirectoryPreferredDomainControllers.
- Enter the IP address or FQDN of the preferred domain controller.
- Click OK to apply the changes.
Additional Information
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box
Feedback
Yes
No
Powered by
