Attempting to login or join the domain fails when user is a member of the Active Directory Protected Users Group
Article ID: 338635
Updated On:
Products
VMware vCenter Server
VMware vCenter Server 6.0
VMware vCenter Server 7.0
VMware vCenter Server 8.0
Issue/Introduction
Symptoms:
- Attempting to join an ESXi host or VCSA to the domain fails
- Attempting to add an ldap Identity Source fails
- Attempting to login with a user account fails
- Attempting to login to vCenter with domain credentials throws the following
Invalid credentialsError. - In the security logs of the domain controller you observe the following Credential Validation Error:
NTLM authentication failed because the account was a member of the Protected User group
Environment
- VMware vCenter Server 8.0.x
- VMware vCenter Server 7.0.x
- VMware vCenter Server 6.0.x
Cause
Introduced in Windows Server 2012 R2 and later versions domain controllers, the Protected Users Security Group by design is inherently restrictive.
"
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
"
Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default."Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
-
Authenticate with NTLM authentication.
-
Use DES or RC4 encryption types in Kerberos pre-authentication.
-
Be delegated with unconstrained or constrained delegation.
-
Renew the Kerberos TGTs beyond the initial four-hour lifetime.
Resolution
There is no resolution
Workaround:
Utilize a user account outside of the 'Protected Users' Group
Workaround:
Utilize a user account outside of the 'Protected Users' Group
Additional Information
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
Feedback
Yes
No
Powered by
