• vCenter Server Appliance fails to join the domain with Error: Access is denied

• ESXi server fails to join the domain

• Active Directory Users fails to authenticate with Error: ERROR_ACCESS_DENIED

• Domain Join log on vCenter Server Appliance captures the below events
  
  Command: ./opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /var/log/domain.log join <domain name> <user>

• domain.log:

20200115230558:VERBOSE:Setting krb5 name value 'forwardable' to 'true'
20200115230558:VERBOSE:Setting krb5 name value 'validate' to 'true'
20200115230558:VERBOSE:Setting krb5 name value 'mappings' to 'AD\\(.*) $1@domain'
20200115230558:VERBOSE:Setting krb5 name value 'reverse_mappings' to '(.*)@AD\.domain\.CN AD\$1'
20200115230558:INFO:Writing krb5 file /tmp/likewisetmpQZqdkY/etc/krb5.conf
20200115230558:INFO:File /tmp/likewisetmpQZqdkY/etc/krb5.conf modified
20200115230558:INFO:Finishing krb5.conf configuration
20200115230559:ERROR:ERROR_ACCESS_DENIED [ERROR_ACCESS_DENIED]
 

• Packet Capture on the domain controller (DC) would return the below frame:

Frame 8261: 132 bytes on wire (1056 bits), 132 bytes captured (1056 bits)
Linux cooked capture
Internet Protocol Version 4, Src: <DC IP>, Dst: <vCenter IP>
Transmission Control Protocol, Src Port: 445, Dst Port: 53566, Seq: 253, Ack: 1781, Len: 76
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        Server Component: SMB2
        Header Length: 64
        Credit Charge: 0
        NT Status: STATUS_ACCESS_DENIED (0xc0000022)
        Command: Session Setup (1)
        Credits granted: 1
        Flags: 0x00000001, Response
        Chain Offset: 0x00000000
        Message ID: Unknown (1)
        Process Id: 0x00000550
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
        [Response to: 8259]
        [Time from request: 0.001083000 seconds]
    Session Setup Response (0x01)
        [Preauth Hash: c02e5af90775290edf04178b581f90950317bebef965fc25…]
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Session Flags: 0x0000
            .... .... .... ...0 = Guest: False
            .... .... .... ..0. = Null: False
            .... .... .... .0.. = Encrypt: False
        Blob Offset: 0x00000000
        Blob Length: 0
        Security Blob: <MISSING>: NO DATA

VMware vSphere ESXi 6.x/7.x

VMware vCenter Server 6.x/7.x

VMware is aware of this issue and working to resolve this in a future release

To workaround this issue, follow either of the below steps:

• Configure Identity Source as AD over LDAP on vCenter Server. For more information, refer to Active Directory LDAP Server and OpenLDAP Server Identity Source Settings
•  Set the RejectUnencryptedAccess parameter to false on Domain Controller using the below steps:

1. Log in to the Domain Controller Server using an user with privilege to modify configuration
2. Open PowerShell on the server and execute the below command to validate

Output:

3. Modify the configuration using the below command:

4. Validate the change using the command mentioned in Step 2

For additional information, refer to SMB3 Secure Dialect Negotiation