Today, I ran into some problems with our vSphere  6 environment in that the domain authentication was no longer working. We use the machine account for AD authentication.

We got the following error in Single Sign-on Configuration: ‘The name of the identity source does not match the existing Integrated Windows Authentication identity source’

Normally, this can be fixed by using the following instructions:

  • reset the computer account in AD
  • run: /opt/likewise/bin/domainjoin-cli query
    • You should get an error like : Error: LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]
  • run /opt/likewise/bin/domainjoin-cli join ….
  • run /opt/likewise/bin/domainjoin-cli join <> <Domain_Administrator> <Password>
  • Reboot VCSA

However, rejoining the domain didn’t work. Apparently, this can happen if you have disabled SMBv1 on your network/domain controllers. (like I did when WannaCry started spreading computers worldwide using the SMBv1 vulnerability). Apparently, vCenter 6 appliance uses SMBv1 by default to verify domain connectivity to your domain controllers.

The following instructions will configure vCenter appliance to use SMBv2:

  • SSH into the vCSA
  • enable the bash shell
    • shell.set –enabled true
  • enter the bash shell
    • shell
  • Set the SMB2Enabled Flag in likewise’s config:
    • /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]’ Smb2Enabled 1
  • You can verify the values with the following command:
    • /opt/likewise/bin/lwregshell list_values ‘[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]’
  • Then restart likewise:
    • /opt/likewise/bin/lwsm restart lwio

After doing this, the first part of the instructions to rejoin VCSA to the domain should work again and after a reboot, authentication should be successful again.

Leave a Reply

Your email address will not be published.