AD users not able to login to ESXi
search cancel

AD users not able to login to ESXi

book

Article ID: 411904

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

 Active Directory User Authentication stops working on ESXi.

In hostd.log located at /var/run/log you see:

0000-00-00T00:00:00.000Z Er(163) Hostd[4594944]: [Originator@6876 sub=Default] DJGetComputerDN: 0xa309: Client not found in Kerberos database

In syslog.log located at /var/run/log you see:

0000-00-00T00:00:00.000Z Wa(28) lwsmd[2101584]: [LwKrb5GetTgtImpl ../lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328378 (Message:  not found in Kerberos database)

Error message breakdown:

lwsmd – This is the Likewise Security Manager Daemon, part of a stack to integrate with AD.
LwKrb5GetTgtImpl – This function is trying to obtain a Ticket Granting Ticket (TGT) for the machine.
KRB5 Error code: -1765328378 – This corresponds to the error KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, i.e., the principal (machine or user) is not found in the Kerberos database.
DJGetComputerDN – This is part of the DirectJoin or Likewise / BeyondTrust stack, which helps Linux/Unix/VMware systems join Active Directory.
0xa309 – This is the hexadecimal representation of a Kerberos error.

Environment

ESXi 7,8,9x

Cause

Client not found in Kerberos database – The system tried to look up its computer account in Active Directory (AD), but couldn’t find it.

Likely Causes:

  • The machine is not joined to the domain correctly.
  • The computer account in AD has been deleted or renamed.
  • There’s a DNS issue causing it to query the wrong domain controller.
  • Time skew between the client and the domain controller (Kerberos is time-sensitive).
  • Kerberos configuration (krb5.conf) is misconfigured or pointing to the wrong realm.

Resolution

First check with your Active Directory team on the status and health of the computer accounts,

Additionally leaving and rejoining the domain has been known to resolve most occurences of this issue.

What You Can Do:

  • Verify Domain Join Status:
    domainjoin-cli query
  • On VMware ESXi, check domain settings via the UI or esxcli commands.
  • Check if the machine account exists in AD:
    Look in Active Directory Users and Computers (ADUC) for the computer object.
  • Check Time Sync:
    Use ntpq -p to ensure system time is in sync with AD.
  • Check DNS Resolution:
    Make sure the system can resolve the domain and DCs properly.
  • Review Kerberos Configuration:
    Look at /etc/krb5.conf (or equivalent) and verify realms and KDCs are correct.
  • Rejoin the Domain if Necessary:
    If the machine account is missing or broken, rejoin the domain.
Powered by Wolken Software