• After setting up the ESX Active Directory authentication as per http://www.vmware.com/vmtn/resources/582 , users cannot authenticate.
• In the /var/log/messages log file, you see entries similar to:
  
  Apr 21 13:43:14 hostname sshd(pam_unix)[10205]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=remotehost user=myuser
  Apr 21 13:43:15 hostname sshd[10205]: pam_krb5[10205]: authentication fails for 'myuser' ( [email protected] ): Authentication failure (ASN.1 encoding ended unexpectedly)
  Apr 21 13:43:17 hostname sshd[10205]: Failed password for myuser from remotehost port 1741 ssh2
  
  
• In the domain controller, you see the error:

Type: Failure Audit

Source: Security

Category: Account Logon

Event ID: 675

User: NT AUTHORITY\SYSTEM

Computer: <DC Host Name>

Description:

Pre-authentication failed:

User Name: myuser
User ID: NTADMIN\myuser
Service Name: krbtgt/MY.DOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: <IP of ESX Host>

1. Access Active Directory Users and Computers.
2. Select Do not require Kerberos preauthentication in the Account Properties tab.

1. In the domain controller, click Start > Run, type adsiedit.msc, and click OK. The ADSI Edit tool opens.
   
   Note: The ADSI Edit tool is included with the Windows 2003 Support Tools. To install the Support Tools, run Suptools.msi located at the Support\Tools folder in the Windows 2003 Server CD-ROM.
   
   
2. Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
3. Right-click DOMAIN\EXC$ and click Properties.
4. Locate the UserAccountControl attribute in the Attributes list and click Edit.
5. Modify its value to the current value plus 4194304. For example, if the current value is 512, the new value is 512 + 4194304 = 4194816.
6. Click OK.
7. Click Apply and then click OK.
8. Quit ADSI Edit and then check if Event 675 stops for these accounts.