Configure Active Directory while enabling vSAN File Services fails with error "

Products

VMware vSAN

Issue/Introduction

Symptoms:

Configuring active directory while enabling vSAN File Services fails with error:
Cannot complete the operation. See the event log for details. User does not have required permission in this Organizational Unit. If no OU is entered, the system attempts to register these file servers with default OU computers. User should have following permissions: 1. Create and delete Computer Objects. 2. Read and Write ms-DS-PrincipleName. 3. Read and Write uPNSuffixes
Configuring vSAN file Services without active directory will succeed without any issues.

Environment

VMware vSANFS 7.x
VMware vSANFS 8.x
VMware vSANFS 9.x

Cause

This issue occurs when the file service admin user doesn't have sufficient permissions to modify the servicePrincipalName.

Cause validation:

The var/log/vmware/vsan-health/vmware-vsan-health-service.log file in vCenter confirms that the Organizational Unit do not have enough permissions. YYYY-MM-DDTHH:MM.SSSZ ERROR vsan-mgmt[07986] [VsanHealthUtil::VsanRunTaskFunc opID=agw-0045332-454e-W4144] Failed to run _ReconfigureDomain for task 'vim.Task:task-3571'
Traceback (most recent call last):
File "bora/vsan/health/esx/pyMo/VsanHealthUtil.py", line 3551, in VsanRunTaskFunc
File "bora/vsan/health/esx/pyMo/VsanHealthUtil.py", line 3566, in <lambda>
File "bora/vsan/fileservice/vpxd/VsanClusterFileServiceSystemImpl.py", line 1326, in _ReconfigureDomain
File "/usr/lib/vmware/site-packages/pyVim/task.py", line 155, in WaitForTask
PyCppVmomi.vim.fault.VimFault: (vim.fault.VimFault) {
msg = 'Cannot complete the operation. See the event log for details.',
faultMessage = (vmodl.LocalizableMessage) [
(vmodl.LocalizableMessage) {
key = 'com.vmware.vsan.fileservice.fault.containercreationfailures.adconfigissue.notenoughperm',
message = 'User does not have required permission in this Organizational Unit. If no OU is entered, the system attempts to register these file servers with default OU computers. User should have following permissions: 1. Create and delete Computer Objects. 2. Read and Write ms-DS-PrincipleName. 3. Read and Write uPNSuffixes.'
}
]
}
The var/runlog/vsanmgmt.log file on the host confirms that the container creation failing due to permission issues.
YYYY-MM-DDTHH:MM.SSSZ Er(11) vsand[17339644]: [opID=agw-0045332-454e-W4144-82f7-W4783016 VsanFileServiceSystemImpl::_waitForContainersUp] Container ##.#.###.## has fatal error: (vmodl.RuntimeFault) {
YYYY-MM-DDTHH:MM.SSSZ Er(11)[+] vsand[17339644]: msg = 'Failed to startup container #######: domain_join_failed '
YYYY-MM-DDTHH:MM.SSSZ Er(11)[+] vsand[17339644]: }, errKey: com.vmware.vsan.fileservice.fault.containercreationfailures.adconfigissue.notenoughperm
YYYY-MM-DDTHH:MM.SSSZ In(14) vsand[17339644]: [opID=agw-0045332-454e-W4144-82f7-W4783016 VsanScheduler::EnqueueWorkItem] enqueue item. entity: listdir_########.######, func: funcWrapper, {'path': '/vmfs/volumes/#####/########-####-####-####-############/volumes/default/config_######-####-####-####-############.json'}, {}
YYYY-MM-DDTHH:MM.SSSZ In(14) vsand[17339644]: [opID=agw-0045332-454e-W4144-82f7-W4783016 VsanFileServiceSystemImpl::_waitForContainersUp] Containers are not up: ['##.#.###.##', '##.#.###.##', '##.#.###.##']
YYYY-MM-DDTHH:MM.SSSZ In(14) vsand[17339644]: [opID=agw-0045332-454e-W4144-82f7-W4783016 VsanFileServiceSystemImpl::_waitForContainersUp] Stop waiting for containers, duration:57.10436327406205, keepWait:False
YYYY-MM-DDTHH:MM.SSSZ In(14) vsand[17339644]: [opID=agw-0045332-454e-W4144-82f7-W4783016 VsanFileServiceSystemImpl::_waitForContainersUp] Failed container(s): ['##.#.###.##', '##.#.###.##', '##.#.###.##'] err msgs are: {'##.#.###.##': 'com.vmware.vsan.fileservice.fault.containercreationfailures.adconfigissue.notenoughperm', '##.#.###.##': 'com.vmware.vsan.fileservice.fault.containercreation failures.adconfigissue.notenoughperm', '##.#.###.##': 'com.vmware.vsan.fileservice.fault.containercreationfailures.adconfigissue.notenoughperm'}
The scratch/log/vdfs_support/containers/fs_vm_logs/fsvm_logs/journal file on the ESXi host indicate that the Active Directory (AD) account specified during vSAN File Services configuration lacks the required permissions to modify the servicePrincipalName (SPN) attribute on the target Computer Objects. This is either due to the account is not authorized to set the SPNs or an object with a duplicate SPN already exists in the domain.

Feb 19 07:20:15.489669 photon-####### vsfs-#######[1617]: [MainThread] Host account for ####### does not have service principal names.
Feb 19 07:20:15.489679 photon-####### vsfs-#######[1617]: [MainThread] Retrieving the servicePrincipalNames failed.
Feb 19 07:20:15.489681 photon-#######vsfs-#######[1617]: [MainThread] ads_gen_mod: AD LDAP: Modifying CN=#######,CN=Computers,DC=######,DC=#######,DC=##,DC=##
Feb 19 07:20:15.490444 photon-####### vsfs-#######[1617]: [MainThread] ads_print_error: AD LDAP ERROR: 19 (Constraint violation): 000021C7: AtrErr: DSID-03200E81, #1:
Feb 19 07:20:15.490447 photon-#######vsfs-#######[1617]: [MainThread] 0: 000021C7: DSID-03200E81, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
Feb 19 07:20:15.490449 photon-####### vsfs-#######[1617]: [MainThread]
Feb 19 07:20:15.490452 photon-####### vsfs-#######[1617]: [MainThread] libnet_Join:
Feb 19 07:20:15.490454 photon-####### vsfs-#######[1617]: [MainThread] libnet_JoinCtx: struct libnet_JoinCtx
Feb 19 07:20:15.490457 photon-####### vsfs-#######[1617]: [MainThread] out: struct libnet_JoinCtx
Feb 19 07:20:15.490460 photon-####### vsfs-#######[1617]: [MainThread] account_name : '#######'
Feb 19 07:20:15.490462 photon-####### vsfs-#######[1617]: [MainThread] netbios_domain_name : '#####'
Feb 19 07:20:15.490464 photon-####### vsfs-#######[1617]: [MainThread] dns_domain_name : '#####.#######.##.##'
Feb 19 07:20:15.490466 photon-####### vsfs-#######[1617]: [MainThread] forest_name : '#######.##.##'
Feb 19 07:20:15.490468 photon-####### vsfs-#######[1617]: [MainThread] dn : 'CN=#######,CN=#######,DC=#######,DC=#######,DC=##,DC=##'
Feb 19 07:20:15.490489 photon-####### vsfs-#######[1617]: [MainThread] domain_guid : ########-####-####-####-############
Feb 19 07:20:15.490491 photon-####### vsfs-#######[1617]: [MainThread] domain_sid : *
Feb 19 07:20:15.490804 photon-####### vsfs-#######[1617]: [MainThread] domain_sid : #-#-#-##-##########-#########-#########
Feb 19 07:20:15.490815 photon-####### vsfs-#######[1617]: [MainThread] modified_config : 0x00 (0)
Feb 19 07:20:15.490817 photon-####### vsfs-#######[1617]: [MainThread] error_string : 'Failed to set machine spn: Constraint violation
Feb 19 07:20:15.490820 photon-####### vsfs-#######[1617]: [MainThread] Do you have sufficient permissions to create machine accounts?'
Feb 19 07:20:15.490822 photon-####### vsfs-#######[1617]: [MainThread] domain_is_ad : 0x01 (1)
Feb 19 07:20:15.490825 photon-####### vsfs-#######[1617]: [MainThread] set_encryption_types : 0x00000000 (0)
Feb 19 07:20:15.490826 photon-####### vsfs-#######[1617]: [MainThread] krb5_salt : NULL
Feb 19 07:20:15.490828 photon-####### vsfs-#######[1617]: [MainThread] result : WERR_GEN_FAILURE
Feb 19 07:20:15.491058 photon-####### vsfs-#######[1617]: [MainThread] return code = -1
Feb 19 07:20:15.491208 photon-####### vsfs-#######[1617]: [MainThread] Failed to join domain: Failed to set machine spn: Constraint violation
Feb 19 07:20:15.491222 photon-####### vsfs-#######[1617]: [MainThread] Do you have sufficient permissions to create machine accounts?

Resolution

Engage active directory admins to fix the permission issues to set service principal names (SPN).