Attempts to log into the vCenter Server Appliance (VCSA) using Active Directory domain accounts fail with an Invalid Credentials error. This issue is characterized by a "partial" success state where identity lookups work, but logins do not.

Symptoms:

• Users receive an "Invalid Credentials" error at the vSphere login screen.

• The vCSA UI indicates that the appliance is successfully joined to the domain.

• The vCSA is able to successfully query the domain from the CLI and fetch/browse AD users from the vSphere UI.

• In /var/log/vmware/sso/websso.log, the following entry is observed: YYYY-MM-DDT HH:MM:SS Exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968][null][null]'

VMware vCenter Server Appliance 8.x

AD Integration Type: Integrated Windows Authentication(IWA)

This issue occurs due to corruption within the Likewise domain cache or the Likewise registry database on the vCenter Server Appliance. This prevents the establishment of a valid security handshake despite the directory services appearing functional for user lookups.

Before proceeding, ensure a powered-off snapshot of the vCenter Server Appliance has been taken.

Procedure 1: Clearing Domain Cache and Stale Registry Keys

1. SSH into the vCenter Server Appliance as root.

2. Navigate to the Likewise database directory
   cd /var/lib/likewise/db/

3. Rename the existing domain cache file
   mv lsass-adcache.filedb.<Domain Name> lsass-adcache.filedb.<Domain Name>.old

4. Restart the Likewise IO service
/opt/likewise/bin/lwsm stop lwio /opt/likewise/bin/lwsm start lwio

5. Remove domain join entries from the registry
   /opt/likewise/bin/lwregshell delete_tree "HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin"

6. In the vSphere Client, delete the Integrated Windows Authentication (IWA) identity source under Administration > Configuration > Identity Sources.

7. Perform a manual domain leave
   /opt/likewise/bin/domainjoin-cli leave

8. Delete the computer account from the Active Directory Domain Controller and reboot the vCenter Server Appliance.
   
   
   

Procedure 2: Recreating the Likewise Registry (If Procedure 1 Fails)
If the issue persists, the Likewise registry database must be rebuilt:

1. Export the current registry configuration
   /opt/likewise/bin/lwregshell export /var/core/lwregDataSourceVC.reg

2. Stop all vCenter services:
   service-control --stop --all

3. Remove the corrupted database files
   rm /var/lib/likewise/db/active.db rm /var/lib/likewise/db/registry.db

4. Start the Likewise service manager and import the registry data
   /opt/likewise/sbin/lwsmd --syslog --start-as-daemon /opt/likewise/bin/lwregshell import /var/core/lwregDataSourceVC.reg

5. Restart services:
   /opt/likewise/bin/lwsm shutdown
service-control --start --all

6. Repeat the domain leave and cleanup steps (Steps 6-8) from Procedure 1.