Unable to login to vCenter with AD credentials
Article ID: 416003
Updated On:
Products
Issue/Introduction
- Newly built vcenter is unable to login with AD credentials.
- While Checking the configuration in admin page , we see that the identity source being used was IWA and the domain was not joined
- Tried to join the AD Domain via UI , but it Failed with the error " Idm client exception: Error trying to join AD, error code [1816]"
-
/var/log/vmware/sso/ssoAdminiserver.log
YYYY-MM-DDT0HH:MM:SS ERROR ssoAdminServer[110:pool-2-thread-7] [OpId=#########] [com.vmware.identity.idm.server.IdentityManager] Failed to add user [[email protected]] to group [SystemConfiguration.BashShellAdministrators] in tenant [vsphere.local]
YYYY-MM-DDT0HH:MM:SS ERROR ssoAdminServer[110:pool-2-thread-7] [OpId=#########] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.MemberAlreadyExistException: group SystemConfiguration.BashShellAdministrators currently has user cn=Administrator,cn=Users,dc=vsphere,dc=local as its member'
com.vmware.identity.idm.MemberAlreadyExistException: group SystemConfiguration.BashShellAdministrators currently has user cn=Administrator,cn=Users,dc=vsphere,dc=local as its member
at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.addUserToGroupByDn(VMwareDirectoryProvider.java:4107) ~[libvmware-identity-idm-server.jar:?]
at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.addUserToGroup(VMwareDirectoryProvider.java:3719) ~[libvmware-identity-idm-server.jar:?]
YYYY-MM-DDT0HH:MM:SS ERROR ssoAdminServer[105:pool-2-thread-3] [#########] [com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] Idm client exception: Error trying to join AD, error code [1816], user [[email protected]], domain [DOMAIN.COM], orgUnit []
com.vmware.identity.admin.server.ims.ServerConfigurationException: Idm client exception: Error trying to join AD, error code [1816], user [[email protected]], domain [DOMAIN.COM], orgUnit []
at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.mapException(SystemManagementImpl.java:128) ~[libsso-adminserver.jar:?]
YYYY-MM-DDT0HH:MM:SS INFO ssoAdminServer[105:pool-2-thread-3] [#########] [auditlogger] {\"user\":\"[email protected]\",\"client\":\"\",\"timestamp\":\"\",\"description\":\"join AD domain, username: [[email protected]], do
main: [DOMAIN.COM], orgUnit: []\",\"eventSeverity\":\"INFO\",\"type\":\"com.vmware.sso.SystemManagement\"}
YYYY-MM-DDT0HH:MM:SS INFO ssoAdminServer[105:pool-2-thread-3] [#########] [com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] [User {Name: Administrator, Domain: vsphere.local} with role 'Administrator'] join AD domain, username: [[email protected]
du], domain: [DOMAIN.COM], orgUnit: []
YYYY-MM-DDT0HH:MM:SS ERROR ssoAdminServer[105:pool-2-thread-3] [#########] [com.vmware.identity.idm.server.IdentityManager] VmAfClientNativeException occurred
com.vmware.af.VmAfClientNativeException: AFD Native Error Occured: 1816 -
/var/log/vmware/sso/tokenservice.log:
YYYY-MM-DDT0HH:MM:SS WARN tokenservice[85:tomcat-http--39] [CorId=#########] [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] There may be a domain join status change since native AD is configured. ActiveDirectoryProvider can function properly only when machine is properly joined
YYYY-MM-DDT0HH:MM:SS WARN tokenservice[85:tomcat-http--39] [CorId=#########]] [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] There may be a domain join status change since native AD is configured. ActiveDirectoryProvider can function properly only when machine is properly joinedYYYY-MM-DDT0HH:MM:SS ERROR tokenservice[85:tomcat-http--39] [CorId#########]] [com.vmware.identity.idm.server.ServerUtils] Caught an unexpected exception com.vmware.identity.interop.domainmanager.HostNotJoinedException: Local host is not joined.
at com.vmware.identity.interop.domainmanager.LinuxDomainAdapter.getDomainJoinInfo(LinuxDomainAdapter.java:265) ~[libvmware-identity-platform.jar:?]
at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.obtainDcInfoInternal(ActiveDirectoryProvider.java:2738) ~[libvmware-identity-idm-server.jar:?]
at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.obtainDcInfo(ActiveDirectoryProvider.java:2721) ~[libvmware-identity-idm-server.jar:?]
at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.borrowLdapConnection(ActiveDirectoryProvider.java:1880) ~[libvmware-identity-idm-server.jar:?]
Environment
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Cause
AD object for the vCenter existed in the active directory due to which vCenter was recognizing it to be already joined to AD.
Resolution
To remediate the issue, follow the below steps:
-
Remove the identity source from the UI
-
Use the below command to leave domain
/opt/likewise/bin/domainjoin-cli leave
-
Add the VC back to the domain using the below command:
/opt/likewise/bin/domainjoin-cli join domain.com.edu [email protected]
Output will look like:
Joining to AD Domain: domain.com
With Computer DNS Name: <VCENTER FQDN>
[email protected]'s password:
SUCCESS
- Reboot the vCenter and re-add the identity source
Additional Information
In some situations, the Domain join may fail as below while running the command "/opt/likewise/bin/domainjoin-cli join domain.com.edu [email protected]"
Output will look like:
Joining to AD Domain: domain.com
With Computer DNS Name: <VCENTER FQDN>
[email protected]'s password:
Error: Lsass Error [code 0x00000718]
The account's computer join limit has been exceeded. Talk to your Windows administrators about the limits assigned to your account.
If the above error occurs, add the vCenter object manually in Active Directory and then run "/opt/likewise/bin/domainjoin-cli join domain.com.edu [email protected]"
Feedback
