Domain join operation for vCenter Server appliance fails with the Error: ERROR_ACCESS_DENIED when SMBv3 is enabled on Domain Controller
search cancel

Domain join operation for vCenter Server appliance fails with the Error: ERROR_ACCESS_DENIED when SMBv3 is enabled on Domain Controller

book

Article ID: 344963

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:

  • vCenter Server Appliance fails to join the domain with Error: Access is denied

  • ESXi server fails to join the domain

  • Active Directory Users fails to authenticate with Error: ERROR_ACCESS_DENIED

  • Domain Join log on vCenter Server Appliance captures the below events

    Command: ./opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /var/log/domain.log join <domain name> <user>

  • domain.log:

20200115230558:VERBOSE:Setting krb5 name value 'forwardable' to 'true'
20200115230558:VERBOSE:Setting krb5 name value 'validate' to 'true'
20200115230558:VERBOSE:Setting krb5 name value 'mappings' to 'AD\\(.*) $1@domain'
20200115230558:VERBOSE:Setting krb5 name value 'reverse_mappings' to '(.*)@AD\.domain\.CN AD\$1'
20200115230558:INFO:Writing krb5 file /tmp/likewisetmpQZqdkY/etc/krb5.conf
20200115230558:INFO:File /tmp/likewisetmpQZqdkY/etc/krb5.conf modified
20200115230558:INFO:Finishing krb5.conf configuration
20200115230559:ERROR:ERROR_ACCESS_DENIED [ERROR_ACCESS_DENIED]
 

  • Packet Capture on the domain controller (DC) would return the below frame:

Frame 8261: 132 bytes on wire (1056 bits), 132 bytes captured (1056 bits)
Linux cooked capture
Internet Protocol Version 4, Src: <DC IP>, Dst: <vCenter IP>
Transmission Control Protocol, Src Port: 445, Dst Port: 53566, Seq: 253, Ack: 1781, Len: 76
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        Server Component: SMB2
        Header Length: 64
        Credit Charge: 0
        NT Status: STATUS_ACCESS_DENIED (0xc0000022)
        Command: Session Setup (1)
        Credits granted: 1
        Flags: 0x00000001, Response
        Chain Offset: 0x00000000
        Message ID: Unknown (1)
        Process Id: 0x00000550
        Tree Id: 0x00000000
        Session Id: 0x0000000000000000
        Signature: 00000000000000000000000000000000
        [Response to: 8259]
        [Time from request: 0.001083000 seconds]
    Session Setup Response (0x01)
        [Preauth Hash: c02e5af90775290edf04178b581f90950317bebef965fc25…]
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Session Flags: 0x0000
            .... .... .... ...0 = Guest: False
            .... .... .... ..0. = Null: False
            .... .... .... .0.. = Encrypt: False
        Blob Offset: 0x00000000
        Blob Length: 0
        Security Blob: <MISSING>: NO DATA

Note: The preceding log excerpts are only examples. Date, time ad environment variables may vary depending on your environment


Environment

VMware vSphere ESXi 6.7
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.5

Cause

This issue occurs if RejectUnencryptedAccess parameter is enabled on the Domain Controller

Resolution

VMware is aware of this issue and working to resolve this in a future release
 


Workaround:

To workaround this issue, follow either of the below steps:

  1. Log in to the Domain Controller Server using an user with privilege to modify configuration
  2. Open PowerShell on the server and execute the below command to validate
Get-SmbServerConfiguration | Select RejectUnencryptedAccess

Output:

 
  1. Modify the configuration using the below command:
Set-SmbServerConfiguration –RejectUnencryptedAccess $false

Output:
 
  1. Validate the change using the command mentioned in Step 2
 


Additional Information

For additional information, refer to SMB3 Secure Dialect Negotiation



Powered by Wolken Software