ESXi: Active Directory login fails after configuring ESX Admins group
search cancel

ESXi: Active Directory login fails after configuring ESX Admins group

book

Article ID: 390063

calendar_today

Updated On:

Products

VMware vSphere ESX 8.x

Issue/Introduction

Note: "ESX Admins" group name is configurable. "ESX Admins" will be used as the example group name in this KB.

For additional information, refer to Using the ESX Admins AD group on ESXi: domain membership and user authentication

  • After adding an ESXi host to Active Directory and configuring the "ESX Admins" group in AD, any user that is part of the "ESX Admins" group should automatically be given VIM Admin role on the ESXi, however attempted AD user logins fail to the Host UI or with SSH.
  • ESXi host has been added to Active Directory
  • ESX Admins group has been created in Active Directory
  • Running "esxcli system permission list" does not show the "ESX Admins" group:

esxcli system permission list

Principal          Is Group      Role      Role Description
--------------     --------      -----     ----------------
cloudadmin         false         Admin      Full access rights
dcui               false         Admin      Full access rights
root               false         Admin      Full access rights
vpxuser            false         Admin      Full access rights


Note: If the ESX Admins group was added successfully then this would be the output:

Principal                  Is Group        Role      Role Description
--------------             --------       -----      ----------------
DC\esx^admins               true          Admin      Full access rights
cloudadmin                  false         Admin      Full access rights
dcui                        false         Admin      Full access rights
root                        false         Admin      Full access rights
vpxuser                     false         Admin      Full access rights

  • SSH Client Behavior: Users connecting via PuTTY will receive "Keyboard-interactive authentication prompts from server" but after entering the password, they receive an "Access denied" followed by a PuTTY Fatal Error: "No supported authentication methods available (server sent: publickey,keyboard-interactive)".

  • SSH Configuration: Running esxcli system ssh server config list may show challengeresponseauthentication yes and fipsmode yes.

  • Hostd Log Evidence: Administrators can check the hostd log for the exact audit failure. The log will explicitly show the host rejecting the user:

    • eventTypeId = "esx.audit.ssh.session.failed"
      Event 408640 : SSH login has failed for '[email protected]@<IP>'.

  • Running esxcli system permission list confirms the authorization failure. The output will completely lack the domain ESX Admins group entry (e.g., DOMAIN\esx^admins is missing) because Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd being set to false prevented it from injecting the permission.
  • When ESXI host was already configured with AD but the ESXi UI login for AD user failing with error

  • System permissions on the affected ESXi host will not list the AD domain or the "ESX Admins" group

Environment

vSphere ESX 8.x, 9.x

Cause

The cause of the issue can be any of the follows:

  1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.
  2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".

Resolution

This issue is resolved in VMware ESXi 9.1. For environments running 9.0.x, a fix is currently pending. To download the latest version, visit the Broadcom Support Portal.

Note: For ESXi 8.0 Update 3 onwards, the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false" by default. This was changed due to security concerns. On versions of ESXi prior to Update 3 it is set to "true" by default. It is important to note that changing this to "false" does not remove any permissions already granted to the "ESX Admins" group.

Therefore, it is possible to have an ESXi host that was patched from a version prior to Update 3 that has"ESX Admins" group logins working with "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" currently set to "false" after patching to U3. The same can be said if this setting were manually set to "false".

To remove the permissions for an AD group or to disable AD logins, refer to Secure Default Settings for ESXi Active Directory integration

  • To resolve the issue, follow the procedure below depending on the cause:

1. The Active Directory group "ESX Admins" will be granted VIM Admin role only if it exists at the time when the ESXi joins the domain. If the AD group is created later (after the ESXi host is joined to the domain) then it won't be given VIM Admin role.

  • To resolve this issue, the ESXi host will need to be removed/re-added to Active Directory

Note: Ensure the correct group is configured in AD and on the ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroup". For additional information, refer to Using the ESX Admins AD group on ESXi: domain membership and user authentication

To remove the ESXi host from AD:

  1. In the vCenter Server vSphere Client, select the host to be removed from Active Directory.
  2. Click the Configure tab.
  3. Click the Authentication Services.
  4. Click the three dots "..."  link at the top right pane and select "Leave Domain"



To re-add the ESXi host to AD   

  1. Confirm the ESXi host is synchronizing time with the Active Directory Domain controller. For more information, see Synchronizing ESXi/ESX time with a Microsoft Domain Controller.
  2. In the vCenter Server vSphere Client, select the host to be added to Active Directory.
  3. Click the Configure tab.
  4. Click the Authentication Services.
  5. Click the Join Domain... link in the top-right pane.
  6. In the Join Domain dialog, enter a domain. Use the form example.com or example.com/OU1/OU2.
  7. Enter the username (in [email protected] format) and password of a directory service user account that has permission to join the host to the domain, and click OK.
  8. Click OK.



Note. The same AD operations can be done via the host client:
      
     
      

Verify that the "ESX Admins" group permissions propagated to the ESXi with the "esxcli system permission list" command (see issue/introduction section of this KB). If the "ESX Admins" group permissions have not propagated, then move on to the next section.
 

2. The ESXi advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" is set to "false".

To resolve this issue, the "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd" will need to be set to "true"       

  1. From the vCenter Server vSphere Client, select the ESXi host.
  2. Click the Configure tab.
  3. Click on Advanced System Settings.
  4. Click on Edit and filter the "key" column for "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd"
  5. If this is set to "false", then set it to "true". If it does not exist, then create it. 



Note: It may be necessary to remove/re-add the ESXi host back to Active Directory.

  • Verify that the "ESX Admins" group permissions propagated to the ESXi with the "esxcli system permission list" command (see issue/introduction section of this KB).


Additional Information

Powered by Wolken Software