Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
vCenter Server Appliance fails to join the domain with Error: Access is denied ESXi server fails to join the domain Active Directory Users fails to authenticate with Error: ERROR_ACCESS_DENIED Domain Join log on vCenter Server Appliance captures the below events Command: ./opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /var/log/domain.log join <domain name> <user> domain.log: 20200115230558:VERBOSE:Setting krb5 name value 'forwardable' to 'true'20200115230558:VERBOSE:Setting krb5 name value 'validate' to 'true'20200115230558:VERBOSE:Setting krb5 name value 'mappings' to 'AD\\(.*) $1@domain'20200115230558:VERBOSE:Setting krb5 name value 'reverse_mappings' to '(.*)@AD\.domain\.CN AD\$1'20200115230558:INFO:Writing krb5 file /tmp/likewisetmpQZqdkY/etc/krb5.conf20200115230558:INFO:File /tmp/likewisetmpQZqdkY/etc/krb5.conf modified20200115230558:INFO:Finishing krb5.conf configuration20200115230559:ERROR:ERROR_ACCESS_DENIED [ERROR_ACCESS_DENIED] Packet Capture on the domain controller (DC) would return the below frame: Frame 8261: 132 bytes on wire (1056 bits), 132 bytes captured (1056 bits)Linux cooked captureInternet Protocol Version 4, Src: <DC IP>, Dst: <vCenter IP>Transmission Control Protocol, Src Port: 445, Dst Port: 53566, Seq: 253, Ack: 1781, Len: 76NetBIOS Session ServiceSMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_ACCESS_DENIED (0xc0000022) Command: Session Setup (1) Credits granted: 1 Flags: 0x00000001, Response Chain Offset: 0x00000000 Message ID: Unknown (1) Process Id: 0x00000550 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: 00000000000000000000000000000000 [Response to: 8259] [Time from request: 0.001083000 seconds] Session Setup Response (0x01) [Preauth Hash: c02e5af90775290edf04178b581f90950317bebef965fc25…] StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 4 .... .... .... ...1 = Dynamic Part: True Session Flags: 0x0000 .... .... .... ...0 = Guest: False .... .... .... ..0. = Null: False .... .... .... .0.. = Encrypt: False Blob Offset: 0x00000000 Blob Length: 0 Security Blob: <MISSING>: NO DATA Note: The preceding log excerpts are only examples. Date, time ad environment variables may vary depending on your environment
This issue occurs if RejectUnencryptedAccess parameter is enabled on the Domain Controller
VMware is aware of this issue and working to resolve this in a future release
To workaround this issue, follow either of the below steps: Configure Identity Source as AD over LDAP on vCenter Server. For more information, refer to Active Directory LDAP Server and OpenLDAP Server Identity Source Settings Set the RejectUnencryptedAccess parameter to false on Domain Controller using the below steps: Log in to the Domain Controller Server using an user with privilege to modify configurationOpen PowerShell on the server and execute the below command to validate Get-SmbServerConfiguration | Select RejectUnencryptedAccess Output: Modify the configuration using the below command: Set-SmbServerConfiguration –RejectUnencryptedAccess $falseOutput: Validate the change using the command mentioned in Step 2
For additional information, refer to SMB3 Secure Dialect Negotiation