Unable to Login to vCenter Server with AD domain accounts as it fails with "Invalid Credentials" Error
Article ID: 396121
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- vCenter is configured with AD over Integrated Windows Authentication (IWA)
- Domain Account (AD login) fails with "Invalid Credentials" error message in vSphere Client
/var/log/vmware/sso/websso.log
####-##-##T####:##Z INFO websso[65:tomcat-http--27] [CorId=5######-####-####-####-########e] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.horizon], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [admin.####]. Native platform error [code: 851968][null][null]], detailText=[Native platform error [code: 851968][null][null]], corelationId=[5####-###-####-####-#########e], timestamp=[1743803590167]
/var/log/vmware/sso/vmware-identity-sts-default.log
####-##-##T##:##:##:###ZINFO sts[49:tomcat-http--11] [CorId=a#####-###-####-####-#######04] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.horizon], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [######@domainname]. Native platform error [code: 851968][null][null]], detailText=[Native platform error [code: 851968][null][null]], corelationId=[a#####-####-####-####-#######04], timestamp=[1745939765202]
Environment
VMware vCenter Server 8.x
Resolution
- Take snapshot of the virtual machine (vCenter Server Appliance).
NOTE:Users from the specific domain you are trying to disjoin/remove will lose custom permissions added in the vCenter Server Inventory if the Active Directory Identity Source is configured for that specific domain, so, take a downtime. - Run the below command to disjoin the vCenter Server Appliance (VCSA) from the windows domain
#/opt/likewise/bin/domainjoin-cli leave - Output looks similar to:
root@vCenter [ ~ ]# /opt/likewise/bin/domainjoin-cli leave Leaving AD Domain:####.COM SUCCESS - Verify the domain status in VCSA by running the below command
#/opt/likewise/bin/domainjoin-cli query - Output looks similar to:
root@vCenter [ ~ ]# /opt/likewise/bin/domainjoin-cli query Name = vCenter'sFQDN Domain = - Reboot the vCenter appliance
- After rebooting the vCenter appliance,Login to the windows domain controller machine and Open Active Directory Users and Computers select Computers Organizational Unit (OU) find your computer select it and right click on the computer and delete it.
- After successfully removing (vCenter) computer from windows domain controller login into vCenter Server Appliance as a root user and run below command in order to join the appliance to the windows domain
#/opt/likewise/bin/domainjoin-cli join <Active_Directory_Domain> <Domain_Administrator> <Password> - Output looks similar to:
root@vCenter [ ~ ]# /opt/likewise/bin/domainjoin-cli join example.com administrator password Joining to AD Domain: example.com With Computer DNS Name: #####.com SUCCESS - Double check the connectivity by using below command
#/opt/likewise/bin/domainjoin-cli query - Output looks similar to:
root@vCenter [ ~ ]# /opt/likewise/bin/domainjoin-cli query Name = vCenter's FQDN Domain = Example.COM Distinguished Name = CN=vCenter's FQDN,CN=Computers,DC=domainname,DC=com - Now reboot the vCenter Server Appliance.
- Login into windows domain controller and Open Active Directory Users and Computers select Computers Organizational Unit (OU) find your computer it must exist
- You should successfully be able to login with the AD accounts
Feedback
Yes
No
Powered by
