Trying to join ESXi host to Active Directory domain with vSphere Authentication Proxy fails with error "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service"
search cancel

Trying to join ESXi host to Active Directory domain with vSphere Authentication Proxy fails with error "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service"

book

Article ID: 313918

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Some businesses may leverage a security concept of "least permissions", "least privileged user" or "least privilege model". In that case, the use of Domain Administrator accounts may not be desirable. 
  • This article provides a workaround so an ESXi host can be joined to the AD domain with vSphere Authentication proxy, without using Domain Administrator accounts. 


Symptoms:
  • Joining an ESXi host to Active Directory using the vSphere Authentication Proxy service fails with the error:
    The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service.
  • In the vmcamd-syslog.log you see error: 
2021-03-25T12:12:30.983712+00:00 notice vmcamd t@139792763303680: [../../../server/vmcam/api.c,810]
2021-03-25T12:12:30.983777+00:00 info vmcamd t@139792763303680: VmCamSrvCreateMachineAccount failed. (5)
2021-03-25T12:12:30.983878+00:00 notice vmcamd t@139792763303680: [../../../server/vmcam/httpserv.c,231]
  • ESXi host can be joined to the Active Directory domain with the same user when using credentials. 
  • The host can be joined to the Active Directory domain with vSphere Authentication Proxy when the user has domain admin privileges. 


Cause

vSphere Authentication Proxy at present requires additional permissions than what Likewise needs for setting machine account password for the Computer object created on the AD. These extra permissions, which are not at all related with the password attribute forces the user to have the "Domain Admins" privileges, which becomes a security concern for the user.

Resolution

A resolution is being planned for a future vSphere release.

Workaround:
This workaround only applies if the domain join is failing due to the below error code 5 in vmcamd-syslog.log

2021-03-25T12:12:30.983777+00:00 info vmcamd t@139792763303680: VmCamSrvCreateMachineAccount failed. (5)

Below steps needs to be performed to assign permissions to AD user in the domain in order for the user to join an ESXi host to an Active Directory domain with vSphere Authentication proxy. 

This is only an example: 
  1. Click Start, click Run, type dsa.msc, and then click OK.
  2.  In the task pane, expand the domain node.
  3. Locate and right-click the OU that needs to be modified, and then click Delegate Control.
  4.  In the Delegation Control Wizard, click Next.
  5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
  6.  In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
  7.  Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
  8. Click Next.
  9. In the Permissions list, select the option "Full Control". 
  10. Click Next, and then click Finish.
  11. Close the Active Directory Users and Computers MMC snap-in.
This will let the user add the ESXi host to their AD domain without having Domain Admins privileges as they will have full access for the attributes of the Computer Object.