Unable to join ESXi 6.0 host to domain through authentication proxy, fails with error : "The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service"
search cancel

Unable to join ESXi 6.0 host to domain through authentication proxy, fails with error : "The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service"

book

Article ID: 345268

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

To join the ESXi 6.0 host to vCenter via authentication proxy.

Symptoms:
  • While joining ESXi 6.0 host to domain through authentication proxy, fails with below error :
           "The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service."
  • You will find similar log snippet in VPXD.log

-->    msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
error vpxd[7F95FBC62800] [Originator@6876 sub=OsLayer_linux] [VpxOsLayer] Failed to write to config: FileIO error: Permission denied for file  : /etc/vmware-vpx/vpxd.cfg.tmp
-->    msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."


info vpxd[7F95ED8BC700] [Originator@6876 sub=Default opID=AuthJoinDomainFormMediator-apply-253820-ngc:70023638-e] [VpxLRO] -- ERROR task-43878 -- activeDirectoryAuthentication-29 -- vim.host.ActiveDirectoryA
Authentication.joinDomainWithCAM: vim.fault.CAMServerRefusedConnection:
--> Result:
--> (vim.fault.CAMServerRefusedConnection) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = ,
-->    errorCode = 1225,
-->    camServer = "x.x.x.x"
-->    msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."
--> }
--> Args:
-->
--> Arg domainName:
--> "example.org"
--> Arg camServer:
--> "x.x.x.x"
YYYY-MM-DDTHH:MM:SS.275-04:00 warning vpxd[7F95ECE9A700] [Originator@6876 sub=VpxProfiler opID=AuthJoinDomainFormMediator-apply-253820-ngc:70023638-e-TaskLoop-47e13d0a] TaskLoop [TotalTime] took 75062 ms
  • From messages.log you may see as below
YYYY-MM-DDTHH:MM:SS.414646-05:00 shemp vmcamd: t@140133709772544: [../../../server/vmcam/httpserv.c,231]
YYYY-MM-DDTHH:MM:SS.414903-05:00 shemp vmcamd: t@140133709772544: VmCam HTTPS request Handler failed with 5

The error number (5) corresponds to ERROR_ACCESS_DENIED.
 
  • Hostd.log
=======
error hostd[2A381B70] [Originator@6876 sub=ActiveDirectoryAuthentication opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] vmwauth ConnectionRefusedException: Exception 0x000004c9: The remote computer refused the network connection.
info hostd[2A381B70] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] Event 1546 : Join domain failed.
info hostd[2A381B70] [Originator@6876 sub=Vimsvc.TaskManager opID=AuthJoinDomainFormMediator-apply-220088-ngc:70021834-63-4c-9e52 user=vpxuser:example.ORG\abc] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-209160 Status error


Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.0

Cause

This issue occurs if the user_id that is used to join the CAM Server to Authentication Proxy doesn't have all the required permissions.

Resolution

 
  • Check  output of command. You will see as below
      /usr/lib/vmware-vmcam/bin/camconfig status

 Default Domain Name: <domain name>
 Default Domain User: vsphere_auth_proxy
 vCenter Server Address: localhost
 vCenter Server User: [email protected]
 vCenter Server Port: 80
  • From vmcam.reg file
        /opt/likewise/bin/lwregshell export '[HKEY_THIS_MACHINE\Software\vmcam\Parameters\Domains]' ./vmcam.reg

     [HKEY_THIS_MACHINE\Software\vmcam\Parameters\Domains\<domain name>-YYYY-MM-DDTHH:MM:SS281Z]
"DomainName" = {
"value"="<domain name>"
}
"User" = {
"value"="vsphere_auth_proxy"
}

NOTE: vSphere Authentication Proxy interoperability between 6.0x hosts and 6.5x VC is not supported . You would need to upgrade the ESXi  hosts from 6.0 to 6.5 or 6.7.

Workaround:
Add the host to domain manually, without using authentication proxy.

Additional Information

Impact/Risks:
None