Cannot login to ESXi hosts with AD users after adding hosts to Active Directory and configuring ESX Admins group

Products

VMware vSphere ESX 8.x

Issue/Introduction

Note: "ESX Admins" group name is configurable. "ESX Admins" will be used as the example group name in this KB.

For additional information refer Using the ESX Admins AD group on ESXi: domain membership and user authentication

After adding an ESXi host to Active Directory and configuring the "ESX Admins" group in AD, any user that is part of the "ESX Admins" group should automatically be given VIM Admin role on the ESXi, however attempted AD user logins fail to the Host UI or with SSH.
ESXi host has been added to Active Directory
ESX Admins group has been created in Active Directory
Running "esxcli system permission list" does not show the "ESX Admins" group:

esxcli system permission list

Principal Is Group Role Role Description
-------------- -------- ----- ----------------
cloudadmin false Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights

Note: If the ESX Admins group was added successfully then this would be the output:

Principal Is Group Role Role Description
-------------- -------- ----- ----------------
DC\esx^admins true Admin Full access rights
cloudadmin false Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights

Environment

VMware vSphere ESX 8.x

Cause

The cause of the issue can be any of the follows:

The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.
The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".

Resolution

IMPORTANT NOTE: For ESXi 8.0 Update 3 onwards the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false" by default. This was changed due to security concerns. On versions of ESXi prior to Update 3 it is set to "true" by default. It is important to note that changing this to "false" does not remove any permissions already granted to the "ESX Admins" group.

Therefore it is possible to have an ESXi host that was patched from a version prior to Update 3 that have "ESX Admins" group logins working with "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" currently set to "false" after patching to U3. The same can be said if this setting was manually set to "false".

To remove the permissions for an AD group or to disable AD logins refer : Secure Default Settings for ESXi Active Directory integration

To resolve the issue, follow the below procedure depending on the cause:

1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.

To resolve this issue the ESXi host will need to be removed/readded to Active Directory

Note: Ensure the correct group is configured in AD and on the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroup". For additional information refer: Using the ESX Admins AD group on ESXi: domain membership and user authentication

To remove the ESXi host from AD:

From the vCenter Server vSphere Client, select the host that will be removed from Active Directory.
Click the Configure tab.
Click the Authentication Services.
Click the three dots "..." link at the top right pane and select "Leave Domain"

To readd the ESXi host back to AD

Confirm the ESXi host is synchronizing time with the Active Directory Domain controller. For more information, see Synchronizing ESXi/ESX time with a Microsoft Domain Controller.
From the vCenter Server vSphere Client, select the host that will be added to the Active Directory.
Click the Configure tab.
Click the Authentication Services.
Click the Join Domain... link at the top right pane.
In the Join Domain dialog, enter a domain. Use the form example.com or example.com/OU1/OU2.
Enter the username (in [email protected] format) and password of a directory service user account that has permission to join the host to the domain and click OK.
Click OK.

Note. The same AD operations can be done via the host client:

Verify that the "ESX Admins" group permissions propagated to the ESXi with "esxcli system permission list" command (see issue/introduction section of this KB). If the "ESX Admins" group permissions have not propagated, then move onto the next section.

2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".

To resolve this issue the "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" will need to be set to "true"

From the vCenter Server vSphere Client, select the ESXi host.
Click the Configure tab.
Click on Advanced System Settings.
Click on Edit and filter the "key" column for "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd"
If this is set to "false" then set it to "true". If it does not exist then create it.

Note: It may be necessary to remove/readd the ESXi host back to Active Directory.

Verify that the "ESX Admins" group permissions propagated to the ESXi with "esxcli system permission list" command (see issue/introduction section of this KB).

Additional Information

Configuring the ESXi host with Active Directory authentication

Using the ESX Admins AD group on ESXi: domain membership and user authentication

Secure Default Settings for ESXi Active Directory integration