Joining ESXi host to Active Directory using vSphere Authentication Proxy fails with the error: The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service
search cancel

Joining ESXi host to Active Directory using vSphere Authentication Proxy fails with the error: The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service

book

Article ID: 340932

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Joining an ESXi host to Active Directory using the vSphere Authentication Proxy service fails with the error:

    The specified vSphere Authentication Proxy Server is not reachable, or has denied access to the service.
     
  • In the hostd.log file, located at /var/log/, you see entries similar to:

    <YYY-MM-DDTHH:MM:SS>.506Z [34564B90 info 'Vimsvc.TaskManager' opID=########-######B3-a3-fa] Task Created : haTask-ha-hostvim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-305724229
    CamHttpQueryDomainInfo: 13
    <YYY-MM-DDTHH:MM:SS>.880Z [34564B90 error 'ActiveDirectoryAuthentication' opID=########-######B3-a3-fa] vmwauth ConnectionRefusedException: Exception 0x000004c9: The remote computer refused the network connection.
    <YYY-MM-DDTHH:MM:SS>.880Z [34564B90 info 'Vimsvc.ha-eventmgr' opID=########-######B3-a3-fa] Event 85 : Join domain failed.
    <YYY-MM-DDTHH:MM:SS>.881Z [34564B90 info 'Vimsvc.TaskManager' opID=########-######B3-a3-fa] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-305724229 Status error
    <YYY-MM-DDTHH:MM:SS>.216Z [34440B90 verbose 'SoapAdapter'] Responded to service state request
    <YYY-MM-DDTHH:MM:SS>.609Z [FFDC2B90 info 'Solo.Vmomi'] Activation [N5Vmomi10ActivationE:0x5720578] : Invoke done [waitForUpdates] on [vmodl.query.PropertyCollector:ha-property-collector]
    <YYY-MM-DDTHH:MM:SS>.609Z [FFDC2B90 verbose 'Solo.Vmomi'] Arg version:
    "2"
<YYY-MM-DDTHH:MM:SS>.609Z [FFDC2B90 info 'Solo.Vmomi'] Throw vmodl.fault.RequestCanceled
<YYY-MM-DDTHH:MM:SS>.609Z [FFDC2B90 info 'Solo.Vmomi'] Result:
(vmodl.fault.RequestCanceled) {
dynamicType = <unset>,
faultCause = (vmodl.MethodFault) null,
msg = "",
}
  • In the vpxd.log file, located at C:\ProgramData\VMware\VMware VirtualCenter\Logs\, you see entries similar to:

    <YYY-MM-DDTHH:MM:SS>.089+01:00 [01616 info 'Default' opID=########-######B3-a3] [VpxLRO] -- ERROR task-70 -- host-38 -- vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM:
    vim.fault.CAMServerRefusedConnection:

    Result:
(vim.fault.CAMServerRefusedConnection) {
dynamicType = <unset>,
faultCause = (vmodl.MethodFault) null,
errorCode = 1225,
camServer = "10.10.10.102",
msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service.",
}
Args:



Environment

VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x

Cause

This issue occurs if the Authentication Proxy service is not listening on port 51915.

Resolution

To resolve this issue, change the Authentication Proxy service to port 51915.
 
To change the Authentication Proxy service to port 51915:
  1. Log in to the server that is running the vSphere Authentication Proxy as an administrative user. Click Start > Run, type services.msc and click OK.
  2. Right-click Authentication Proxy Services and click Stop.
  3. Open Server Manager and navigate to Roles > Web Server > Internet Authentication Services > Computer Account Manager > Bindings.
  4. Select https and select Edit Change Port.
  5. Change the current port to 51915.
  6. Modify the vmconfig-cam.xml file, located at C:\ProgramData\VMware\vSphere Authentication Proxy\, using the text editor. Set the port to 51915.
  7. Open the C:\ProgramData\VMware\vSphere Authentication Proxy\ssl directory and remove any host-XX files.
  8. Restart the Authentication Proxy Services service.


Additional Information

Currently vSphere Authentication Proxy supports only IIS 6 and IIS 7. Windows 2012 and 2012 R2 running IIS 8.x are not supported.
 

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box