This article provides guidance when troubleshooting issues related to Active Directory authentication in vCenter Server.
Failed to find user, group, or domain by name (name = '<AD_USER>', searched host = '<DOMAIN_CONTROLLER>') -> error = 40098, symbol = LW_ERROR_RPC_OPENPOLICY_FAILED
Detected domain 'domain.example' offline. Some group information from this domain might be missing
DNS lookup for '_ldap._tcp.dc._msdcs.domain.example' failed with errno 110 (Connection timed out)
lwsmd: Restarting dead service: netlogon (attempt 1/2)
Use the following methods to determine the cause of AD Authentication issues.
Login attempts are typically recorded in log files or the system journal and will looks similar to the example below.
[2020-03-18T17:20:02.958Z tomcat-http--11 vsphere.local b9a75dd5-0ae6-4304-8dcf-885ac1a04bf2 INFO com.vmware.identity.idm.server.IdentityManager] Authentication succeeded for user [USER@DOMAIN.EXAMPLE] in tenant [vsphere.local] in [131] milliseconds with provider [DOMAIN.EXAMPLE] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]
journalctl -b
(/
then allows for searching for the offending username)Example: [error] [USER] [ ] [1409351611] [Cannot login USER@##.###.###.##]
The log entry above shows several pieces of information about the authentication attempt.
Defining an upper limit to these attempts is difficult because it depends on the latency between the likewise service on the VCSA and the domain controller responses. If there are several logins coming from a single source per minute, it indicates improper session use practices by that solution or product.
Excessive logins must be addressed at their source, usually with a patch or workaround.
Problems communicating with domain controllers from trusted or child domains is known to cause AD authentication problems. Failed queries to these domains can build up and cause likewise to eventually crash. The following errors are an indication that a trusted domain is not responding.
Detected domain 'domain.example' offline. Some group information from this domain might be missing
AD communication issues may also be related to DNS. vCenter requires forward and reverse resolution to work properly on all domain controllers it communicates with.
Even without excessive logins, it’s still possible for likewise to become overwhelmed when there is a high latency between vCenter and Active Directory. Highly latent environments will cause authentication requests to queue up in likewise and eventually fail.
If the vCenter Appliance is under-sized for its environmental load, it can cause authentication to fail among other issues.
The netlogon daemon is responsible for communication with the domain controllers. A known issue with netlogond crashes has been resolved in vCenter Server 6.7 Update 3.
When netlogond crashes and is restarted by the likewise service manager, it will print entries similar to below.
lwsmd: Restarting dead service: netlogon (attempt 1/2)
lwsmd: Service died: netlogon (restarted 2 times in 12 seconds)
Creating and utilizing an SSO domain service account can alleviate some of the performance impact for products or solutions that authenticate to vCenter with Active Directory credentials. See Managing vCenter Single Sign-On Users and Groups for more information
Configuring the vCenter Server to use AD over LDAPS as an identity source will also help alleviate issues pertaining to excessive logins and likewise related delays. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings for more information.