Error: "LW_ERROR_PASSWORD_MISMATCH" during ESXi AD authentication

Products

VMware vSphere ESXi

Issue/Introduction

When you try to log in to the ESXi Host Client using Active Directory (AD) user accounts, authentication fails. You see the error "Cannot complete login due to an incorrect user name or password".
The ESXi /var/log/syslog.log shows LW_ERROR_PASSWORD_MISMATCH (error code 40022) and Decrypt integrity check failed messages.
This authentication failure happens every 30 days. It can affect multiple ESXi hosts at the same time. The issue prevents AD users from accessing ESXi hosts directly. You must use local root accounts for host management tasks.

Additional symptoms reported:

"Facing issue with ESX and AD authentication. It's not allowing AD accounts to login."

Environment

ESXi 6.5, 6.7, 7.0, and 8.0 hosts joined to Active Directory domains
Environments with multi-domain DNS where ESXi hosts use DNS servers from a different domain than the AD domain
Likewise Open 6.2.0 and later versions handling AD authentication
Large deployments with 100+ ESXi hosts using centralized DNS infrastructure

Cause

The affected ESXi hosts lack proper DNS search domain configuration for the Active Directory domain. This prevents successful resolution of domain controllers during automatic machine password rotation.

The Likewise authentication service rotates computer account passwords every 30 days by default. When ESXi hosts cannot resolve AD domain controllers through DNS, the password change process fails. This creates a mismatch between cached credentials on the ESXi host and the actual password in Active Directory.

Resolution

Connect to the affected ESXi host using SSH or the ESXi Shell.
Add the Active Directory domain to the DNS search domains list:
```
esxcli network ip dns search add -d yourad.example.com
```
Check that the DNS search domain was added:
```
esxcli network ip dns search list
```

View the current DNS server configuration:

cat /etc/resolv.conf

Expected output shows your DNS servers and search domains ():

nameserver ###.###.###.10
nameserver ###.###.###.11
search example.com yourAD.example.com

Test DNS resolution to the Active Directory domain:

nslookup yourAD.example.com

Expected output (anonymized example):

Server:    ###.###.###.10
Address:   ###.###.###.10#53

Name:      yourAD.example.com
Address:   ###.###.###.100

Check DNS resolution for Active Directory service records:

nslookup _ldap._tcp.yourAD.example.com
nslookup _kerberos._tcp.yourAD.example.com

Clear the Likewise authentication cache:

/usr/lib/vmware/likewise/bin/lw-lsa ad-cache --delete-all

Restart the Likewise service:
```
/etc/init.d/lwsmd restart
```

Check domain join status:

/usr/lib/vmware/likewise/bin/domainjoin-cli query

Expected output:

Name     = esxi-hostname
Domain   = YOURAD.EXAMPLE.COM

Test user listing to confirm authentication works:

/usr/lib/vmware/likewise/bin/lw-lsa enum-users

Expected output shows domain users:

YOURAD\administrator
YOURAD\user1
YOURAD\user2

Try to log in to the ESXi Host Client using an Active Directory user account.

If the above steps do not resolve the issue, open a new support case with Broadcom and provide the following information.

Complete ESXi support bundle collected after reproducing the authentication failure
Output from esxcli network ip dns server list and esxcli network ip dns search list
Details about your DNS setup and Active Directory domain configuration
Exact error messages with timestamps from failed authentication attempts
Results from the DNS resolution and connectivity tests in the resolution steps

Additional Information

For more information on configuring ESXi hosts with Active Directory, see Configuring the ESXi host with Active Directory authentication.
For troubleshooting similar authentication issues with cached credentials, see Cannot login to ESXi hosts with AD users after adding hosts to Active Dirctory and configuring ESX Admins group.
For more information on DNS configuration for ESXi hosts, see Set Up a DNS Server with ESXCLI.

Related troubleshooting:

Check network connectivity between the ESXi host and AD domain controllers on these ports:
- 53 (DNS)
- 88 (Kerberos)
- 389 (LDAP)
- 636 (LDAPS)
- 135 (RPC)
- 445 (SMB)
View the password rotation setting with:

/usr/lib/vmware/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]"
In multi-domain environments, make sure ESXi hosts can resolve both their management domain and the AD domain