When deploying or cloning Windows virtual machines within a vSphere environment, you may encounter Kerberos and NTLM authentication failures. This occurs when target virtual machines share the same Security Identifier (SID) as the source machine. While legacy documentation may suggest duplicate SIDs only impact Workgroups or local accounts, recent security enhancements from Microsoft now enforce SID uniqueness for domain-joined systems.

Product: VMware vSphere

Guest OS: Windows 11 (versions 24H2, 25H2), Windows Server 2025

Updates: Windows updates released on/after August 29, 2025

The issue is caused by a security design change in Microsoft Windows that enforces SID checks during authentication. Duplicate SIDs are typically created when a Windows installation is cloned or duplicated without running Sysprep. These security protections block authentication between devices sharing the same SID to prevent potential compromise of access controls.

To resolve this issue and ensure successful authentication, you must ensure each Windows virtual machine has a unique SID by using Sysprep during the deployment process:

1. Use Guest OS Customization: When cloning or deploying a virtual machine from a template in vSphere, always use a Guest Customization Specification.

2. Enable SID Generation: Ensure the "Generate New Security ID (SID)" option is selected within the customization wizard. This triggers Sysprep to generalize the OS and create a unique SID.

3. Reference Microsoft Documentation: For detailed information on SID requirements and the August 2025 security changes, refer to Microsoft Support: Kerberos and NTLM authentication failures due to duplicate SIDs.

• Subscribe to this knowledge article to get updates on this issue.

• For general vSphere guest customization steps, see the Broadcom TechDocs.