"Error trying to join AD, error code [40705]" when connecting vCenter Server Appliance to an Active Directory
Article ID: 342780
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
When connecting a vCenter Server Appliance5.1, 5.5, or 6.0 to an Active Directory domain with a large number of trusts, you experience these symptoms:
When connecting a vCenter Server Appliance5.1, 5.5, or 6.0 to an Active Directory domain with a large number of trusts, you experience these symptoms:
- The vSphere Web Client displays the error:
Idm client exception: Error trying to join AD, error code [40705]
- Joining the vCenter Server Appliance from an SSH sessions fails with the error:
ERROR:Undocumented exception [code 0x00009f01]
An undocumented exception has occurred. Please contact Likewise technical support and use the error code to identify this exception.
- In the var/log/vmware/vpx/vpxd.log file, you see entries similar to:
<YYYY-MM-DD>T<time>[7FB339EC6700 error 'GSSAPI' opID=19164CE5-00000004-ee] gss_acquire_cred failed: (0x000d0000, 0x96c73ae0)
<YYYY-MM-DD>T<time>[7FB339EC6700 info 'commonvpxLro' opID=19164CE5-00000004-ee] [VpxLRO] -- FINISH task-internal-151 -- -- vim.SessionManager.loginBySSPI --
<YYYY-MM-DD>T<time>[7FB339EC6700 info 'Default' opID=19164CE5-00000004-ee] [VpxLRO] -- ERROR task-internal-151 -- -- vim.SessionManager.loginBySSPI: vmodl.fault.SystemError:
--> Result:
--> (vmodl.fault.SystemError) {
--> dynamicType = <unset>,
--> faultCause = (vmodl.MethodFault) null,
--> reason = "gss_acquire_cred failed",
--> msg = "",
--> }
--> Args:
-->
<YYYY-MM-DD>T<time>[7FB33A3D0700 warning 'VpxProfiler' opID=4b7edf4f-SWI-5ca6ac4b] VpxUtil_InvokeWithOpId [TotalTime] took 30005 ms
<YYYY-MM-DD>T<time>[7FB340941700 info 'vpxdvpxdMoLicenseManager'] [LicMgr] No vm-based licenses. So skipping collection.
<YYYY-MM-DD>T<time>[7FB339EC6700 error 'HttpSvc.HTTPService'] Failed to read request; stream: <io_obj ''> ''>, <unix h:-1, p:0x00007fb3501147f8,>, error: N7Vmacore16TimeoutExceptionE(Operation timed out)
<YYYY-MM-DD>T<time>[7FB340941700 info 'commonvpxLro' opID=4c700485] [VpxLRO] -- BEGIN task-internal-152 -- -- vmodl.query.PropertyCollector.retrievePropertiesEx -- 08f38a6d-46ca-a259-cedc-4852fb91415d(5216366a-3394-07a3-6a54-059661741e89)</time></io_obj></time></time></time></time></time></time>
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 5.1.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 5.1.x
Cause
This issue occurs due to a limitation with the number of trusts the Likewise agents can store.
Resolution
This is a known issue affecting vCenter Server Appliance.
Currently, there is no resolution.
To work around this issue, use one of these options:
- For vCenter Server Appliance 5.1, 5.5, and 6.0 embedded deployments, disable enumerating the external trusts when joining the primary domain provided that you do not require users from those external domains to log in to the vCenter Server Appliance.
Note: Ensure that vCenter Server Appliance is not joined to any domain before proceeding. However, if it is joined, remove it from the domain and reboot before proceeding to the steps below.
- Connect to the vCenter Server Appliance with an SSH session or through the Console.
- Run this command to set the likewise agent ignore all external trusts including child domains.
/opt/likewise/bin/lwregshell set_value [HKEY_THIS_MACHINE\\Services\\lsass\\Parameters\\Providers\\ActiveDirectory] DomainManagerIgnoreAllTrusts 1
- Restart the Likewise services by running this command:
/etc/init.d/lsassd restart
- Add the vCenter Server Appliance to the domain. For more information, see:
- Add a vCenter Single Sign On Identity Source section in vCenter Server Appliance 5.1 guide.
- Add a vCenter Single Sign On Identity Source section in vCenter Server Appliance 5.5 guide.
- Add a vCenter Single Sign On Identity Source section in vCenter Server Appliance 6.0 guide.
- For vCenter Server Appliance 6.0 with an external Platform Service Control (PSC), you can install and configure a new Windows PSC as either an additional node or a new site, and register the vCenter Server Appliance against it. The Windows PSC nodes are to be connected to the domain while the vCenter Server Appliance does not. For more information, see Repointing the VMware vCenter Server 6.0 between External Platform Services Controllers within a Site in a vSphere Domain (2113917).
Additional Information
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.How to repoint vCenter Server 6.x between External PSC within a site
将 vCenter Server Appliance 连接到 Active Directory 时出现“尝试加入 AD 时出错,错误代码 [40705] (Error trying to join AD, error code [40705])”
vCenter Server Appliance を Active Directory に接続すると、「AD に参加しようとしたときにエラーが発生しました。エラー コード [40705] (Error trying to join AD, error code [40705])」が表示される
将 vCenter Server Appliance 连接到 Active Directory 时出现“尝试加入 AD 时出错,错误代码 [40705] (Error trying to join AD, error code [40705])”
vCenter Server Appliance を Active Directory に接続すると、「AD に参加しようとしたときにエラーが発生しました。エラー コード [40705] (Error trying to join AD, error code [40705])」が表示される
Feedback
Yes
No
Powered by
