After enabling NTLMv2 on the Active Directory Domain Controller vCenter SSO users fail to log in with the error : "Unable to login because you do not have permissions on any vCenter Server systems connected to this client."
search cancel

After enabling NTLMv2 on the Active Directory Domain Controller vCenter SSO users fail to log in with the error : "Unable to login because you do not have permissions on any vCenter Server systems connected to this client."

book

Article ID: 388056

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When "LMCompatibilityLevel" is set to 5 in the registry on a Windows Domain Controller used for a vCenter Server Identity Source, users may fail to log into the web client with an error: "Unable to login because you do not have permissions on any vCenter Server systems connected to this client."

Vpxd.log may show errors similar to:

TIMESTAMP info vpxd[38902] [Originator@6876 sub=UserDirectorySso opID=Operation-ID-####] GetUserInfoInternal(ExampleDomain.com\ExampleUsername, false) res: ExampleDomain.com\ExampleUsername
TIMESTAMP info vpxd[38902] [Originator@6876 sub=AuthorizeManager opID=Operation-ID-####] [Auth]: User ExampleDomain.com\ExampleUsername
TIMESTMAP warning vpxd[38902] [Originator@6876 sub=Vmomi opID=Operation-ID-####] VMOMI activation LRO failed; <<Session-ID-####, <TCP '##.##.##.## : PORT#'>, <TCP '##.##.##.## : PORT#'>>, SessionManager, vim.SessionManager.loginByToken>, N3Vim5Fault12NoPermission9ExceptionE(Fault cause: vim.fault.NoPermission

sts.log may show errors similar to:

TIMESTAMP WARN sts[54:tomcat-http--20] [CorId=########-####-####-####-############] [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] obtainDcInfo for domain [ExampleDomain.com] failed Native platform error [code: 2453][NERR_DCNotFound][]

Cause

The "LMCompatibilityLevel" registry setting being change to 5 causes the Domain Controller to only send an NTLMv2 responses.

Resolution

Enable NTLMv2 in the vCenter Server Likewise Registry to allow NTLMv2 communication with the Domain Controller:

  1. Take a snapshot of the vCenter Server. If using ELM take powered off snapshots for all linked vCenters. See KB: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice 
  2. Connect to vCenter Appliance 6.x over ssh.
  3. Execute the following commands:

    /opt/likewise/bin/lwregshell
    cd HKEY_THIS_MACHINE\Services\lsass\Parameters\NTLM
    HKEY_THIS_MACHINE\Services\lsass\Parameters\NTLM> set_value SendNTLMv2 1
     
  4. Restart the services on the vCenter Server Appliance:

    service-control --stop --all && service-control --start --all

  5. Confirm you are able to log into the vSphere Web Client.
Powered by Wolken Software