Attempting to login or join the domain fails in vCenter server when user is a member of the Active Directory Protected Users Group.
Article ID: 338635
Updated On:
Products
VMware vCenter Server
VMware vCenter Server 6.0
VMware vCenter Server 7.0
VMware vCenter Server 8.0
Issue/Introduction
-
Attempting to join an ESXi host or VCSA to the domain fails
-
Attempting to add an ldap Identity Source fails
-
Attempting to login with a user account fails
-
Attempting to login to vCenter with domain credentials throws the following
Invalid credentialsError. -
In the security logs of the domain controller you observe the following Credential Validation Error:
NTLM authentication failed because the account was a member of the Protected User group
Error message screenshot for reference :
Environment
VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.0.x
Cause
Introduced in Windows Server 2012 R2 and later versions domain controllers, the Protected Users Security Group by design is inherently restrictive.
"
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
"
Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default."Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
-
Authenticate with NTLM authentication.
-
Use DES or RC4 encryption types in Kerberos pre-authentication.
-
Be delegated with unconstrained or constrained delegation.
-
Renew the Kerberos TGTs beyond the initial four-hour lifetime.
Resolution
There is no resolution
Workaround:
Utilize a user account outside of the 'Protected Users' Group in Active Directory.
Workaround:
Utilize a user account outside of the 'Protected Users' Group in Active Directory.
Additional Information
Feedback
Yes
No
Powered by
