Logging in to VMware ESXi using domain credentials fails with the error: Invalid user name or credentials
search cancel

Logging in to VMware ESXi using domain credentials fails with the error: Invalid user name or credentials

book

Article ID: 337908

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • After adding a host to Active Directory, you are unable to log in using Active Directory credentials
  • When logging in, you see the error:

    Invalid user name or credentials

  • When logging in to the host through SSH, the session terminates after entering your password
  • You do not see all domains populated under Configuration > Authenticated Services > Trusted Domain Controllers within a VMware vSphere Client session connected directly to the host
  • The user you are attempting to authenticate is a member of groups located across multiple domains
  • In the /var/log/netlogond.log file of the host, you see errors similar to:

    <MM-DD-YYYY> <time>:DEBUG:0x60140b70: Error code: 40121 (symbol: LW_ERROR_DOMAIN_IS_OFFLINE)
    <MM-DD-YYYY> <time>:0xff942b70:DEBUG:[LWNetGetPreferredDcList()] Error at /build/mts/release/bora-2286303/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:201 [code: 2453]
    <DATE> <time>:0xffdb6b90:ERROR:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-1474033/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.EDIS._sites.dc._msdcs.domain.com' failed with errno 0, h_errno = 1</time></time></time>


  • In the /var/log/lsassd.log file of the host, you see errors similar to:

    ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:1308] Do not know about domain 'domain.com' ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) ()





Environment

VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.5

Cause

This issue occurs due to the netlogond service not being able to contact the domain through a chosen domain controller. The likewise service uses CLDAP pings to choose the best domain controller to be contacted by the ESXi host to obtain Active Directory user and group information. If the chosen domain controller is unable to contact a domain containing a group in which the user is a part of, you will receive the preceding symptoms

Resolution

This is a known issue affecting ESXi 5.x.

Currently, there is no resolution.

To workaround this issue, you can specify a preferred domain controller that is able to contact the domains that contain the groups the user you are authenticating with is a member of.

To specify a preferred domain controller:
  1. Connect directly to the host using the vSphere Client.
  2. Select ESX Server > Configuration > Advanced Settings > UserVars.ActiveDirectoryPreferredDomainControllers.
  3. Enter the IP address or FQDN of the preferred domain controller.
  4. Click OK to apply the changes.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box

ドメインのアカウントを使用した ESXi ホストへのログインが次のエラーで失敗する: Invalid user name or credentials