In an integrated Windows authentication configuration, the reference target does not automatically switch during the AD server process stack.
Article ID: 441982
Updated On:
Products
Issue/Introduction
In an environment where Integrated Windows Authentication (IWA) is configured and multiple Active Directory servers are registered as redundant, if the following conditions occur on the primary AD server, automatic failover to the secondary AD server will not occur, and login to vSphere Client will fail.
- The message "Invalid credentials" appears, and I cannot log in to vSphere Client.
- On the AD server in question, the OS and Ping responses are normal, but internal AD services and responses to LDAP queries are hung (process stack).
Environment
vCenter Server
Cause
If there is a communication problem between vCenter Server and the AD server, a switchover of the reference destination will occur. However, even if communication between vCenter Server and the AD server is possible, if there is a problem with a process within the AD server, the switchover may not occur properly.
Resolution
Perform the following steps:
- Perform one of the following:
a) Disconnect the network of the problematic AD
(e.g., shut down the virtual machine of the primary AD experiencing the failure)b) Blacklisting and configuration file modification on the vCenter Server side
(Explicitly exclude the IP address of the affected primary AD in krb5-affinity.conf or blacklist settings)
*For detailed instructions, please refer to KB375177. Note that for changing the krb5-affinity.conf settings, refer to Workaround 1: in KB375177, and for blacklisting, refer to Workaround 2:.
*In this case, do not perform the krb5.conf setting changes in Workaround 1: of KB375177.
- After connecting to the vCenter Server via SSH, execute the following command:
systemctl restart lwsmd
Additional Information
Integrated Windows Authentication has been deprecated since vSphere 7.0, and while it can still be used in vSphere 8, it is technically deprecated.
Furthermore, it has been removed in vSphere 9, so you should migrate to other authentication methods (such as AD over LDAPS, Okta, or Microsoft Entra ID).
Feedback
