Unable to join ESXi 6.0 host to domain through authentication proxy, fails with error : "The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service"
Article ID: 345268
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
To join the ESXi 6.0 host to vCenter via authentication proxy.
Symptoms:
--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
error vpxd[7F95FBC62800] [Originator@6876 sub=OsLayer_linux] [VpxOsLayer] Failed to write to config: FileIO error: Permission denied for file : /etc/vmware-vpx/vpxd.cfg.tmp
--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
info vpxd[7F95ED8BC700] [Originator@6876 sub=Default opID=AuthJoinDomainFormMediator-apply-253820-ngc:70023638-e] [VpxLRO] -- ERROR task-43878 -- activeDirectoryAuthentication-29 -- vim.host.ActiveDirectoryA
Authentication.joinDomainWithCAM: vim.fault.CAMServerRefusedConnection:
--> Result:
--> (vim.fault.CAMServerRefusedConnection) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = ,
--> errorCode = 1225,
--> camServer = "x.x.x.x"
--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
--> }
--> Args:
-->
--> Arg domainName:
--> "example.org"
--> Arg camServer:
--> "x.x.x.x"
YYYY-MM-DDTHH:MM:SS.275-04:00 warning vpxd[7F95ECE9A700] [Originator@6876 sub=VpxProfiler opID=AuthJoinDomainFormMediator-apply-253820-ngc:70023638-e-TaskLoop-47e13d0a] TaskLoop [TotalTime] took 75062 ms
YYYY-MM-DDTHH:MM:SS.414903-05:00 shemp vmcamd: t@140133709772544: VmCam HTTPS request Handler failed with 5
The error number (5) corresponds to ERROR_ACCESS_DENIED.
error hostd[2A381B70] [Originator@6876 sub=ActiveDirectoryAuthentication opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] vmwauth ConnectionRefusedException: Exception 0x000004c9: The remote computer refused the network connection.
info hostd[2A381B70] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] Event 1546 : Join domain failed.
info hostd[2A381B70] [Originator@6876 sub=Vimsvc.TaskManager opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-209160 Status error
Symptoms:
- While joining ESXi 6.0 host to domain through authentication proxy, fails with below error :
- You will find similar log snippet in VPXD.log
--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
error vpxd[7F95FBC62800] [Originator@6876 sub=OsLayer_linux] [VpxOsLayer] Failed to write to config: FileIO error: Permission denied for file : /etc/vmware-vpx/vpxd.cfg.tmp
--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
info vpxd[7F95ED8BC700] [Originator@6876 sub=Default opID=AuthJoinDomainFormMediator-apply-253820-ngc:70023638-e] [VpxLRO] -- ERROR task-43878 -- activeDirectoryAuthentication-29 -- vim.host.ActiveDirectoryA
Authentication.joinDomainWithCAM: vim.fault.CAMServerRefusedConnection:
--> Result:
--> (vim.fault.CAMServerRefusedConnection) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = ,
--> errorCode = 1225,
--> camServer = "x.x.x.x"
--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
--> }
--> Args:
-->
--> Arg domainName:
--> "example.org"
--> Arg camServer:
--> "x.x.x.x"
YYYY-MM-DDTHH:MM:SS.275-04:00 warning vpxd[7F95ECE9A700] [Originator@6876 sub=VpxProfiler opID=AuthJoinDomainFormMediator-apply-253820-ngc:70023638-e-TaskLoop-47e13d0a] TaskLoop [TotalTime] took 75062 ms
- From messages.log you may see as below
YYYY-MM-DDTHH:MM:SS.414903-05:00 shemp vmcamd: t@140133709772544: VmCam HTTPS request Handler failed with 5
The error number (5) corresponds to ERROR_ACCESS_DENIED.
- Hostd.log
error hostd[2A381B70] [Originator@6876 sub=ActiveDirectoryAuthentication opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] vmwauth ConnectionRefusedException: Exception 0x000004c9: The remote computer refused the network connection.
info hostd[2A381B70] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] Event 1546 : Join domain failed.
info hostd[2A381B70] [Originator@6876 sub=Vimsvc.TaskManager opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-209160 Status error
Environment
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.0
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.0
Cause
This issue occurs if the user_id that is used to join the CAM Server to Authentication Proxy doesn't have all the required permissions.
Resolution
- Check output of command. You will see as below
Default Domain Name: <domain name>
Default Domain User: vsphere_auth_proxy
vCenter Server Address: localhost
vCenter Server User: [email protected]
vCenter Server Port: 80
- From vmcam.reg file
[HKEY_THIS_MACHINE\Software\vmcam\Parameters\Domains\<domain name>-YYYY-MM-DDTHH:MM:SS281Z]
"DomainName" = {
"value"="<domain name>"
}
"User" = {
"value"="vsphere_auth_proxy"
}
NOTE: vSphere Authentication Proxy interoperability between 6.0x hosts and 6.5x VC is not supported . You would need to upgrade the ESXi hosts from 6.0 to 6.5 or 6.7.
Workaround:
Add the host to domain manually, without using authentication proxy.
Additional Information
Impact/Risks:
None
None
Feedback
Yes
No
Powered by
