Unable to login to ESX using domain credentials. Fails with the error "Connection to ESXi Host Timed Out"
search cancel

Unable to login to ESX using domain credentials. Fails with the error "Connection to ESXi Host Timed Out"

book

Article ID: 392710

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Logging in to an ESX host using domain credentials fails with the error "Connection to ESXi host timed out". In cases where login is successful, the host UI takes a long time to load the inventory. However, when using root credentials, the ESX host logs in normally.

     

  • From /var/run/log/syslog.log following logs are observed when attempting to login via domain credentials:

    YYYY-MM-DDTHH:MM:SS lwsmd[2102415]: [lsass] Failed to lookup object with name = <'[email protected]'> through LDAP (error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT). Retrying...
    YYYY-MM-DDTHH:MM:SS lwsmd[2102415]: [lsass] Clearing ldap DC connection list for domain '<ad.exmaple.com>' due to a network error.


    YYYY-MM-DDTHH:MM:SS 1wsmd[2102415]:[netlogon] CLDAP ping to cached DC <domain_controller.example.com> <##.##.##.##> failed, new DC will be looked up
    YYYY-MM-DDTHH:MM:SS lwsmd[2102415] : [lsass] Domain '<domain_controller.example.com>' is now offline
    YYYY-MM-DDTHH:MM:SS lwsmd [2102415]: [lsass] Ignoring failure enumerating trusts for forest <example.com> Error was <null> (40121)

    YYYY-MM-DDTHH:MM:SS lwsmd[2102014] [netlogon] DNS lookup for '<_ldap._tcp.dc._msdcs.example.com>' failed with errno 110 (Connection timed out), h_errno = 2 (Host name lookup failure)

    YYYY-MM-DDTHH:MM:SS lwsmd[2102014] [lsass] Failed to lookup object with name = <'[email protected]'> through LDAP (error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT). Retrying...
    YYYY-MM-DDTHH:MM:SS lwsmd[2102014] [lsass] Failed to find user, group, or domain by name (name = <'[email protected]'>, searched host = '<domain_controller>') -> error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT
    YYYY-MM-DDTHH:MM:SS lwsmd[2102014] [lsass] Failed to lookup object with name = <'[email protected]'> through LDAP (error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT). Retrying...

  • A packet capture between the ESXi host and Domain Controller during an AD login attempt shows the following error:

    53 <IP_address_ESX host> <IP_ADDRESS_DNS_SERVER> DNS 95 Standard query response 0x819a Server failure SRV <_ldap._tcp.dc._msdcs.example.com>>
    Domain Name System (response)
      Transaction ID: 0x819a
      Flags: 0x8182 Standard query response, Server failure
          1... .... .... .... = Response: Message is a response
          .000 0... .... .... = Opcode: Standard query (0)
          .... .... ...0 .... = Non-authenticated data: Unacceptable
          .... .... .... 0010 = Reply code: Server failure (2)

    53 <IP_address_ESX host> <IP_ADDRESS_DNS_SERVER> DNS 154 Standard query response 0x3f16 No such name SRV _kerberos-master._udp.example.com SOA <FQDN OF DOMAIN_CONTROLLER>
    User Datagram Protocol, Src Port: 53, Dst Port: 52771
    Domain Name System (response)
      Transaction ID: 0x3f16
      Flags: 0x8183 Standard query response, No such name
          1... .... .... .... = Response: Message is a response
          .000 0... .... .... = Opcode: Standard query (0)
          .... .... ...0 .... = Non-authenticated data: Unacceptable
          .... .... .... 0011 = Reply code: No such name (3)

Environment

VMware vSphere ESX

Cause

The error "Connection to ESXi host timed out" typically occurs when there is a DNS issue. Specifically, the ESX host is attempting to perform a DNS lookup for the Active Directory service record (_ldap._tcp.dc._msdcs.example.com), but the lookup is timing out. This often indicates a DNS resolution issue, where the ESX host is unable to locate the domain controllers in the Active Directory domain.

Resolution

  1. Check DNS Configuration on the ESX Host:
    Ensure the ESX host has correct DNS settings and can resolve the domain controllers. Verify that the DNS server IP addresses are correctly configured in the ESX host's network settings.

  2. Verify DNS Settings on the Active Directory Server:
    Confirm that the Active Directory server's DNS configuration is functioning correctly, and that the DNS service can resolve the required domain controller records.

  3. Test Connectivity to Domain Controllers:
    Run a nslookup or dig command from the ESX host to ensure it can resolve the domain controller's FQDN (Fully Qualified Domain Name) and the service record (_ldap._tcp.dc._msdcs.example.com). This will help verify that the DNS server is responding correctly.

  4. Check Network Connectivity:
    Ensure there is no network issue preventing the ESX host from reaching the domain controllers. Check for any firewalls or network configurations that may be blocking traffic on the required ports (e.g., 389 for LDAP).

  5. Check Time Synchronization:
    Ensure that the ESX host and the domain controllers are time-synchronized.

  6. Test Login with Root Credentials:
    If login using domain credentials fails but root credentials work, the issue is likely related to domain authentication specifically. Continue troubleshooting DNS and domain controller availability.

Additional Information

Powered by Wolken Software