"gss_acquire_cred failed" error logging in to the vCenter Server Appliance 5.5/6.x/7.0
search cancel

"gss_acquire_cred failed" error logging in to the vCenter Server Appliance 5.5/6.x/7.0

book

Article ID: 315428

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Logging in to vCenter Server Appliance using Windows Session Credentials fails with the error:

    A general system error occurred: gss_acquire_cred failed
     
  • Manually entering the credentials fails with the error:

    Cannot complete login due to an incorrect user name or password
  • In the /var/log/vmware/sso/vmware-sts-idmd.log file, you see entries similar to:

    YYYY-MM-YY <time> ERROR [IdentityManager] Failed to authenticate principal [username@domain] for tenant [vsphere.local]
    com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 1213][ERROR_INVALID_SERVICENAME][]
    at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.AuthenticateByPassword(LinuxIdmNativeAdapter.java:180)
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.authenticate(ActiveDirectoryProvider.ja va:251)
    at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2484)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
    at sun.rmi.transport.Transport$2.run(Unknown Source)
    at sun.rmi.transport.Transport$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.access$400(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(Unknown Source)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    </time>

    Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 7.0.x

Cause

The computer account registered with Active Directory has attributes which reference the FQDN of the machine at the time it was joined to the domain. Changing the FQDN causes a mismatch between the new hostname and the Active Directory machine account.
  • This issue occurs in vCenter Server 5.5 when the hostname of the vCenter Server Appliance machine is changed after joining the machine to the domain.
  • In vCenter Server 6.x, this issue occurs when the hostname of the the Platform Services Controller machine is changed after joining the domain.

Resolution

Process to Verify Hostname:

To verify that the hostname of vCenter Server Appliance matches the entry in Active directory, run these commands on vCenter Server 5.5, Or on the Platform Service Controller (PSC) / vCenter Server 6.x / vCenter Server 7.0.
  1. Run this command to verify the vCenter Server Appliance or Platform Service Controller FQDN:

    /opt/likewise/bin/domainjoin-cli query | grep 'Name\|Domain' | head -2 | awk '{print $NF}' | paste -d "." - -
     
  2. Verify the FQDN of the vCenter Server Appliance or Platform Services Controller machine account in Active Directory with this command:

    /opt/likewise/bin/lw-lsa ad-get-machine account | grep FQDN | awk '{print $NF}' | paste -d "" - -

If Hostname Does not Match:

If the hostname does not match the FQDN for the machine account, perform one of these:
  • Rename the vCenter Server or Platform Service Controller back to the FQDN from the output of the command from Step 2.
Note: Rename vCenter hostname back to the FQDN for vCenter Server 7.0
  • Leave and rejoin the domain while keeping the current hostname of the machine. For more information, see:
     


Additional Information

Platform Services Controller 6.x in High Availability mode cannot be joined to Windows domain
登录 vCenter Server Appliance 5.1、5.5 及 6.0 失败并显示错误:出现一般性系统错误:gss_acquire_cred 失败