ESXi Login Failures with Active Directory Users: Incorrect Username and Password

search cancel

ESXi Login Failures with Active Directory Users: Incorrect Username and Password

book

Article ID: 394804

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

^{Attempts to log in to an ESXi host using Active Directory (AD) credentials result in an error message stating "Incorrect username or password." Despite using valid AD credentials, the login fails. The ESXi host has already been successfully joined to the AD domain.}

Environment

^{VMware vSphere Esxi 8.x}

Cause

^{This issue occurs because the relevant Active Directory (AD) group does not have the necessary permissions on the ESXi host. Additionally, the Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd setting is configured to false, which prevents automatic addition of the ESX Admins group to the host with the correct admin privileges.}

^Note:

^{When an ESXi host is joined to an AD domain, the ESX Admins group should be automatically assigned admin privileges by default, provided that the HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd setting is set to true.}

^{If this setting is set to false, the ESX Admins group does not automatically get added with appropriate permissions.}

^{The current permissions can be validated using the following command:}

^{esxcli system permission list}

Resolution

^{There are two options to resolve the issue:}

^{Option 1: Set the Admin Permissions to the AD Group on ESXi}

^{Open the ESXi shell or SSH into the ESXi host.}
^{Run the following command to assign Admin permissions to the AD group (e.g., yourdomain\esx^admins):}

^{esxcli system permission set -g -i 'yourdomain\esx^admins' -r Admin}

^{Verify that the ESX Admins group has been granted the correct permissions by using the following command:}

^{esxcli system permission list}

^{Confirm that the Admin role is properly assigned to the AD group.}

^{Option 2: Modify the Configuration to Enable Automatic Addition of ESX Admin Group}

^{Log in to vCenter Server via the vSphere Client and select the relevant ESXi host.}
^{Navigate to the Configure}
^{Under Advanced System Settings, click Edit and filter the key column for the setting HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd.}
- ^{If this setting is currently set to false, change it to true.}
^{This change ensures that the ESX Admins group is automatically assigned the required admin privileges when the ESXi host joins the AD domain.}

Additional Information

^{http://knowledge.broadcom.com/external/article/390063/cannot-login-to-esxi-hosts-with-ad-users.html}

^{https://knowledge.broadcom.com/external/article/316499/using-the-esx-admins-ad-group-on-esxi-do.html}

^{https://knowledge.broadcom.com/external/article?articleId=369707}

Feedback

thumb_up Yes

thumb_down No