Unable to Login to ESXi Using Domain Credentials, fails with the Error "Connection to ESXi Host Timed Out"
search cancel

Unable to Login to ESXi Using Domain Credentials, fails with the Error "Connection to ESXi Host Timed Out"

book

Article ID: 392710

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • When attempting to log in to an ESXi host using domain credentials, the login fails, and the error "Connection to ESXi host timed out" is displayed. In cases where login is successful, the host UI takes a long time to load the inventory. However, when using root credentials, the ESXi host logs in normally.

     

  • From /var/run/log/syslog.log the following logs may be found when attempting to login via domain credentials:

    2025-03-18T14:48:53.411Z lwsmd[2102415]: [lsass] Failed to lookup object with name = <'[email protected]'> through LDAP (error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT). Retrying...
    2025-03-18T14:48:53.443Z lwsmd[2102415]: [lsass] Clearing ldap DC connection list for domain '<ad.exmaple.com>' due to a network error.


    2025-03-18T14:09:40.509Z 1wsmd[2102415]:[netlogon] CLDAP ping to cached DC <domain_controller.example.com> <##.##.##.##> failed, new DC will be looked up
    2025-03-18T14:09:40.510Z lwsmd[2102415] : [lsass] Domain '<domain_controller.example.com>' is now offline
    2025-03-18T14:09:40.510Z lwsmd [2102415]: [lsass] Ignoring failure enumerating trusts for forest <example.com> Error was <null> (40121)

    2025-03-18T15:05:37.026Z lwsmd[2102014] [netlogon] DNS lookup for '<_ldap._tcp.dc._msdcs.example.com>' failed with errno 110 (Connection timed out), h_errno = 2 (Host name lookup failure)

    2025-03-18T15:03:39.709Z lwsmd[2102014] [lsass] Failed to lookup object with name = <'[email protected]'> through LDAP (error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT). Retrying...
    2025-03-18T15:03:39.719Z lwsmd[2102014] [lsass] Failed to find user, group, or domain by name (name = <'[email protected]'>, searched host = '<domain_controller>') -> error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT
    2025-03-18T15:03:39.734Z lwsmd[2102014] [lsass] Failed to lookup object with name = <'[email protected]'> through LDAP (error = 40071, symbol = LW_ERROR_NO_SUCH_OBJECT). Retrying...

  • Performing packet capture between ESXI host and Domain controller while AD user trying to login the esxI host UI, we see below mentioned error 

    53 <IP_address_ESXI host> <IP_ADDRESS_DNS_SERVER> DNS 95 Standard query response 0x819a Server failure SRV <_ldap._tcp.dc._msdcs.example.com>>
    Domain Name System (response)
        Transaction ID: 0x819a
        Flags: 0x8182 Standard query response, Server failure
            1... .... .... .... = Response: Message is a response
            .000 0... .... .... = Opcode: Standard query (0)
            .... .... ...0 .... = Non-authenticated data: Unacceptable
            .... .... .... 0010 = Reply code: Server failure (2)

    53 <IP_address_ESXI host> <IP_ADDRESS_DNS_SERVER> DNS 154 Standard query response 0x3f16 No such name SRV _kerberos-master._udp.example.com  SOA <FQDN OF DOMAIN_CONTROLLER>
    User Datagram Protocol, Src Port: 53, Dst Port: 52771
    Domain Name System (response)
        Transaction ID: 0x3f16
        Flags: 0x8183 Standard query response, No such name
            1... .... .... .... = Response: Message is a response
            .000 0... .... .... = Opcode: Standard query (0)
            .... .... ...0 .... = Non-authenticated data: Unacceptable
            .... .... .... 0011 = Reply code: No such name (3)

Cause

The error "Connection to ESXi host timed out" typically occurs when there is a DNS issue. Specifically, the ESXi host is attempting to perform a DNS lookup for the Active Directory service record (_ldap._tcp.dc._msdcs.domain), but the lookup is timing out. This often indicates a DNS resolution issue, where the ESXi host is unable to locate the domain controllers in the Active Directory domain.

Resolution

 

  1. Check DNS Configuration on the ESXi Host:
    Ensure the ESXi host has correct DNS settings and can resolve the domain controllers. Verify that the DNS server IP addresses are correctly configured in the ESXi host's network settings.

  2. Verify DNS Settings on the Active Directory Server:
    Confirm that the Active Directory server's DNS configuration is functioning correctly, and that the DNS service can resolve the required domain controller records.

  3. Test Connectivity to Domain Controllers:
    Run a nslookup or dig command from the ESXi host to ensure it can resolve the domain controller's FQDN (Fully Qualified Domain Name) and the service record (_ldap._tcp.dc._msdcs.domain). This will help verify that the DNS server is responding correctly.

  4. Check Network Connectivity:
    Ensure there is no network issue preventing the ESXi host from reaching the domain controllers. Check for any firewalls or network configurations that may be blocking traffic on the required ports (e.g., 389 for LDAP).

  5. Check Time Synchronization:
    Ensure that the ESXi host and the domain controllers are time-synchronized.

  6. Test Login with Root Credentials:
    If login using domain credentials fails but root credentials work, the issue is likely related to domain authentication specifically. Continue troubleshooting DNS and domain controller availability.

 

Additional Information

Powered by Wolken Software