Customers implementing MS November patches causes VCSA (and potentially other products) to fail authentication
search cancel

Customers implementing MS November patches causes VCSA (and potentially other products) to fail authentication

book

Article ID: 344879

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

Customers disabling the use of RC4 for kerberos tickets cause vCenter (and potentially other products) to fail authentication.


This could have likely followed implementing the below MS November patches, which introduced events that warn of RC4 related connection requests.

Cumulative updates:

  • ​Windows Server 2022: KB5021656
  • ​Windows Server 2019: KB5021655
  • ​Windows Server 2016: KB5021654

Standalone Updates:

  • Windows Server 2012 R2: KB5021653
  • Windows Server 2012: KB5021652
  • Windows Server 2008 R2 SP1: KB5021651 (released November 18, 2022)
  • Windows Server 2008 SP2: KB5021657


Cause

vCenter is attempting to authenticate using RC4 on a domain where it is disabled. This is likely due to the vCenter computer object being limited by the ms-DS-SupportedEncryptionType attribute. It's also possible that the default encryption attribute (DefaultDomainSupportedEncTypes) of the domain is set to use only RC4.

 

In the Windows Domain controller logs, filter the security section via event IDs 4769 and 4768, then search for the VC computer account entry.

If the "Ticket Encryption Type" is not 0x12, and using an RC4 0x17 or 0x18 then this is most likely the issue

 

Resolution

Implement the Microsoft out of band patch on all Domain controllers in the environment :

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-21H2#sign-in-failures-and-other-issues-related-to-kerberos-authentication

 

Then apply one of the following :

 

Option 1

  1. Open Active Directory Users and Computers
  2. Click "View" on the menu bar, and verify "Advanced Features" has a check next to it.
  3. Navigate to your vCenter computer object.
  4. Right click > Properties > Attribute Editor
  5. Set ms-DS-SupportedEncryptionType on the vCenter computer object in AD to "24"
  6. Once you click [OK], it will show up as 0x18, click [OK] again.
  7. Log out of vCenter, and close the browser.
  8. Log back into vCenter with a domain user.

 

Option 2

  1. From an administrative Powershell command prompt, run:
Set-ADComputer -Identity vCENTER-AD-Object -KerberosEncryptionType AES128,AES256

This will set the object attribute to 0x18
  1. Log out of vCenter, and close the browser.
  2. Log back into vCenter with a domain user.

 


Powered by Wolken Software