Active Directory authentication using IWA fails on vCenter due to DC Time Skew
search cancel

Active Directory authentication using IWA fails on vCenter due to DC Time Skew

book

Article ID: 437618

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Users are unable to authenticate to the vCenter using Active Directory domain credentials via Integrated Windows Authentication (IWA).

  • Executing the ntpq -pn command on the vCenter reveals substantial time skew/offset with the configured NTP server,

  • Review of the journalctl -u ntpd logs on the vCenter shows time synchronization errors and Clock Unsynchronized events:

    root@<vcsa>[~]#journalctl -u ntpd -n 1000
    Journal begins at <Day YYYY-MM-DD hh:mm:ss> UTC, ends at <Day YYYY-MM-DD hh:mm:ss>
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info systemd[1]: Stopping Network Time Service .
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info ntpd[1630]: ntpd exiting on signal 15 (Terminated)
    ..
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info systemd[1]: ntpd. service: Succeeded.
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info systemd[1]: Stopped Network Time Service.
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info systemd[1]: Starting Network Time Service
    ...
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info ntpd[3476172]: Listening on routing socket on fd #20 for interface updates
    YYYY-MM-DD hh:mm:ss <vcsa_fqdn> info ntpd[3476172]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized

Environment

  • vCenter 7.x
  • vCenter 8.x

Cause

This was caused as the domain controllers were not syncing time properly with each other and the NTP server. In this particular scenario, one of the domain controllers was syncing time with the NTP server while the other one was not, thus creating a drift between them and affecting vCenter AD accounts authentications. Despite explicit NTP configurations on the vCenter appliance, the date and time matched the out-of-sync problematic Active Directory server's time which is expected behavior. Since the AD servers had a drift more than 5 minutes between each other, this impacted the logins as it was above the default tolerance values for Kerberos authentication. For more information refer to the Additional Information section 

Resolution

Authentication via IWA relies on Kerberos, which requires the time difference between the client (vCenter) and the Key Distribution Center (Domain Controller) to be strictly synchronized. Correcting the Domain Controller time source restores domain user login functionality.

  1. Ensure "Sync with host" is disabled for the vCenter virtual machine via the vSphere Client by following the below steps:
    • Log in to the vSphere Client.
    • Locate and select the VCSA Virtual Machine in the inventory.
    • Select Actions > Edit Settings.
    • Navigate to the VM Options tab.
    • Expand the VMware Tools section.
    • Under Time, uncheck the box for Synchronize guest time with host.
    • Click OK.

  2. Engage Microsoft Support to reconfigure the Windows Time Service on all Active Directory Domain Controllers to ensure they synchronize time reliably from the authoritative NTP servers used by the vCenter. For references, review Additional Information section

  3. Validate time skew using ntpq -pn command on the vCenter appliance to confirm offset values are within operational thresholds.

 

Additional Information

vCenter time is intermittently out of sync (405484)

Default Domain policy for kerberos authentication

Windows Time service tools and settings

Logging in to the vCenter Server Appliance fails with the error: Failed to authenticate user (313931)

Powered by Wolken Software