Unable to Login to vCenter Server with AD domain accounts as it fails with "Invalid Credentials" Error
search cancel

Unable to Login to vCenter Server with AD domain accounts as it fails with "Invalid Credentials" Error

book

Article ID: 396121

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vCenter server is configured with AD over Integrated Windows Authentication (IWA)
  • Domain Account (AD login) fails with "Invalid Credentials" error in vSphere Client

The /var/log/vmware/sso/websso.log shows:

[YYYY-MM-DDTHH:MM:SS] INFO websso[65:tomcat-http--27] [CorId=5678910-abcd-efab-1234-67890abce] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.horizon], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [admin.####]. Native platform error [code: 851968][null][null]], detailText=[Native platform error [code: 851968][null][null]], corelationId=[5678910-abcd-efab-1234-67890abce]


The /var/log/vmware/sso/vmware-identity-sts-default.log shows:

[YYYY-MM-DDTHH:MM:SS] INFO sts[49:tomcat-http--11] [CorId=a678910-abcd-efab-1234-67890abc04] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.horizon], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [######@domainname]. Native platform error [code:
851968][null][null]], detailText=[Native platform error [code: 851968][null][null]], corelationId=[a678910-abcd-efab-1234-67890abc04], timestamp=[1745939765202]

Environment

VMware vCenter Server 8.x

Resolution

  1. Take an offline (powered off) snapshot of the vCenter Server Appliance (VCSA) virtual machine

  2. Remove the VCSA from the windows domain:
    # /opt/likewise/bin/domainjoin-cli leave
  3. Output looks similar to:

    # /opt/likewise/bin/domainjoin-cli leave
Leaving AD Domain: ####.COM
SUCCESS
  4. Verify the domain status in VCSA by running the below command
    # /opt/likewise/bin/domainjoin-cli query
  5. Output looks similar to:
    # /opt/likewise/bin/domainjoin-cli query
Name = vCenter'sFQDN
Domain =
  6. Reboot the vCenter appliance

  7. Login to the windows domain controller and remove the VCSA from AD

  8. Join the appliance to the windows domain:
    # /opt/likewise/bin/domainjoin-cli join <Active_Directory_Domain> <Domain_Administrator> <Password>
  9. Output looks similar to:
    # /opt/likewise/bin/domainjoin-cli join example.com administrator password
Joining to AD Domain: example.com
With Computer DNS Name: #####.com

SUCCESS
  10. Check the connectivity:
    #/opt/likewise/bin/domainjoin-cli query
  11. Output looks similar to:

    # /opt/likewise/bin/domainjoin-cli query
Name = vCenter_FQDN
Domain = Example.COM
Distinguished Name = CN=vCenter_FQDN,CN=Computers,DC=domainname,DC=com
  12. Reboot the VCSA
  13. Verify in AD that the VCSA is joined to the domain
Powered by Wolken Software