Today, I ran into some problems with our vSphere  6 environment in that the domain authentication was no longer working. We use the machine account for AD authentication.

We got the following error in Single Sign-on Configuration: ‘The name of the identity source does not match the existing Integrated Windows Authentication identity source’

Normally, this can be fixed by using the following instructions:

• reset the computer account in AD
• run: /opt/likewise/bin/domainjoin-cli query
  • You should get an error like : Error: LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]
• run /opt/likewise/bin/domainjoin-cli join ….
• run /opt/likewise/bin/domainjoin-cli join <domain.com> <Domain_Administrator> <Password>
• Reboot VCSA

However, rejoining the domain didn’t work. Apparently, this can happen if you have disabled SMBv1 on your network/domain controllers. (like I did when WannaCry started spreading computers worldwide using the SMBv1 vulnerability). Apparently, vCenter 6 appliance uses SMBv1 by default to verify domain connectivity to your domain controllers.

The following instructions will configure vCenter appliance to use SMBv2:

• SSH into the vCSA
• enable the bash shell
  • shell.set –enabled true
• enter the bash shell
  • shell
• Set the SMB2Enabled Flag in likewise’s config:
  • /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]’ Smb2Enabled 1
• You can verify the values with the following command:
  • /opt/likewise/bin/lwregshell list_values ‘[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]’
• Then restart likewise:
  • /opt/likewise/bin/lwsm restart lwio

After doing this, the first part of the instructions to rejoin VCSA to the domain should work again and after a reboot, authentication should be successful again.

email

Twitter

Facebook

Linkedin

Digg

Pinterest