"Invalid Credentials" Error When Logging into vCenter Server with AD Account: KRB5KDC_ERR_CLIENT_REVOKED
search cancel

"Invalid Credentials" Error When Logging into vCenter Server with AD Account: KRB5KDC_ERR_CLIENT_REVOKED

book

Article ID: 404632

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to configure Integrated Windows Authentication (IWA) or Active Directory (AD) over LDAPS as an identity source in VMware vCenter Server, the following errors may occur:

  • From vCenter Server Appliance (VCSA) Shell:
    /opt/likewise/bin/domainjoin-cli join <ad-domain> <ad-username>
    KRB5KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
    or
    /opt/likewise/bin/domainjoin-cli join <ad-domain> <ad-username>
    Error: NERR_DCNotFound code 0x00000995

  • When Logging in with AD Accounts via vSphere Client:
         VMware vSphere
         Invalid credentials 
         Use Windows session authentication

These errors prevent successful addition of the AD identity source and block AD user logins to vCenter Server, resulting in authentication failures.

 

Environment

VMware vCenter Server 

Cause

The errors occur due to insufficient permissions in the Active Directory environment, which prevent the successful execution of the domainjoin-cli join command or the addition of the AD identity source through the vSphere Client. Common causes include:

  • Missing Object Permissions: The Active Directory object (e.g., Computer Object, CN) associated with the VCSA lacks the necessary permissions to join the domain or authenticate with AD.
  • Missing User Permissions: The AD user account used to execute the domainjoin-cli join command or configure the identity source lacks sufficient privileges in AD.

Resolution

To resolve the issue, follow these steps:

Step 1: Involve the AD Team
Engage your organization's Active Directory (AD) team and request the following checks:
•    Verify that the AD user account is active, not locked or expired.
•    Ensure that the user account used to join the domain has the required permissions to:

  • Join computers to the domain. 
  • Access the necessary Organizational Units (OUs) and objects.



Step 2: Validate Permissions
•    Confirm that the account has “Create Computer Objects” and “Read/Write” permissions within the target OU.
•    For more restrictive environments, ensure delegated control is explicitly assigned to the joining user account.


Step 3: Retry Adding the AD Identity Source:

  •  Via vSphere Client:
  • Log in to the vSphere Client as an administrator.
  • Navigate to Administration > Single Sign-On > Configuration > Identity Sources.
  • Click Add Identity Source, select Active Directory (Integrated Windows Authentication) or Active Directory over LDAPS, and enter the AD domain details.
  •  Use the AD user account with appropriate permissions to complete the configuration.
  •  Via VCSA Shell:
    /opt/likewise/bin/domainjoin-cli join <ad-domain> <ad-username> <ad-password>
    Replace <ad-domain>, <ad-username>, and <ad-password> with your AD domain, username, and password, respectively.

  • Test AD User Login:
  • Log out of the vSphere Client and attempt to log in using an AD user account to verify successful authentication.
  • Ensure the AD user is assigned appropriate permissions in vCenter Server To test basic LDAP connectivity:

Additional Information

•    These errors can occur even if network connectivity and port requirements (e.g., TCP 636 for LDAPS) are fully satisfied.
To test basic LDAP connectivity:
curl -v telnet://<AD-Domain-Controller>:636

•    For environments with firewall restrictions, validate that all required ports for domain join and SSO authentication are open.

Powered by Wolken Software