Today, I ran into some problems with our vSphere 6 environment in that the domain authentication was no longer working. We use the machine account for AD authentication.
We got the following error in Single Sign-on Configuration: ‘The name of the identity source does not match the existing Integrated Windows Authentication identity source’
Normally, this can be fixed by using the following instructions:
- reset the computer account in AD
- run: /opt/likewise/bin/domainjoin-cli query
- You should get an error like : Error: LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]
- run /opt/likewise/bin/domainjoin-cli join ….
- run /opt/likewise/bin/domainjoin-cli join <domain.com> <Domain_Administrator> <Password>
- Reboot VCSA
However, rejoining the domain didn’t work. Apparently, this can happen if you have disabled SMBv1 on your network/domain controllers. (like I did when WannaCry started spreading computers worldwide using the SMBv1 vulnerability). Apparently, vCenter 6 appliance uses SMBv1 by default to verify domain connectivity to your domain controllers.
The following instructions will configure vCenter appliance to use SMBv2:
- SSH into the vCSA
- enable the bash shell
- shell.set –enabled true
- enter the bash shell
- Set the SMB2Enabled Flag in likewise’s config:
- /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]’ Smb2Enabled 1
- You can verify the values with the following command:
- /opt/likewise/bin/lwregshell list_values ‘[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]’
- Then restart likewise:
- /opt/likewise/bin/lwsm restart lwio
After doing this, the first part of the instructions to rejoin VCSA to the domain should work again and after a reboot, authentication should be successful again.