ESXi not able to join Active Directory
search cancel

ESXi not able to join Active Directory

book

Article ID: 377819

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

[root@esxi:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join example.com Administrator Password
Joining to AD Domain:   example.com
With Computer DNS Name: esxi.example.com


Error: LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP [code 0x0000a310]

KDC has no support for encryption type

 

syslog.log

2023-09-10T13:13:20.771Z In(30) lwsmd[2106413]: [lsass] Joining domain example.com
2023-09-10T13:13:20.776Z In(30) lwsmd[2106413]: [lsass] Affinitized to DC 'example-dc.example.com' for join request to domain 'example.com'
2023-09-10T13:13:20.795Z Wa(28) lwsmd[2106413]: [LwKrb5GetTgtImpl ../lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328370 (Message: KDC has no support for encryption type)
2024-09-10T13:13:20.795Z Er(27) lwsmd[2106413]: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 41744, symbol = LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP, client pid = 7349472

 

Additionally, AD reports Event ID 4768

 

ESXi

/etc/likewise/likewise-krb5-ad.conf
[libdefaults]
    default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
    default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
    preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
    dns_lookup_kdc = true

Environment

vSphere 7

vSphere 8

Cause

RC4 is disabled on the domain controllers

Resolution

RC4 is required for ESXi to join domain

Enable RC4 on the domain controllers

Additional Information

https://www.netmeister.org/blog/krb5-error-codes-table.html
KRB5KDC_ERR_ETYPE_NOSUPP    -1765328370L    14    KDC has no support for encryption type

Powered by Wolken Software