Can’t login using Windows Session Credentials – VCSA (vSphere 6)


Quite a few things seem to have changed with the VCSA in vSphere 6. The most obvious change is that the appliance is no longer deployed as an OVA / OVF template but rather from an ISO image.

As part of deploying the ISO, you’ll be prompted to put in your settings for the vCenter before it’s even powered on. This can be quite tricky to get right the first time – so make sure you have created the relevant DNS records on your DNS servers and configured your VM network on the chosen host for initial deployment.

Setting up SSO for your Windows Domain is exactly the same, however when ticking the “Use Windows Session Credentials” box you will see the following error:

“Window session credentials cannot be used to log into this server. Enter a user name and password”

capture

There are already various guides which point you to the /etc/nsswitch.conf file. This needs to be edited using VI on the VCSA itself. To do so, open a console to the VCSA and enable SSH and BASH Shell by going to Troubleshooting Mode Options.

Open an SSH session to your appliance using a remote terminal application of your choice (I use good old PuTTY).

capture1

NOTE: If you see Command> on the prompt, you’ll need to move into Shell mode by typing “shell” and pushing enter.

We’re about to edit the nsswitches.conf file – make sure you know how to edit and save changes before you start.

Use the following command to edit the conf file:

vi /etc/nsswitch.conf

capture2

Once in the file, push <i> to go into Edit / Insert mode.

At the end of the passwd: compat ato line, add lsass. 

capture3

Push ESC to exit Insert mode, then semi colon : to issue your next command. In this case, we want to write changes and exit the file – wq.

capture4

Confusingly – according to VMware, if the word lsass is already present, you should remove it.

At this point, logging into the server using Windows Session Credentials still won’t work. You now need to add the VCSA to the domain, which was previously done from the vCenter Appliance Management Interface (VAMI).

To join the VCSA to the domain, you need to log into the Web Client (https:// [VCSA IP or hostname]/vsphere-client

Go to Administration from the home page: 

untitled1

Go to System Configuration:

untitled2

Click Nodes -> Choose your VCSA, click Manage and then Active Directory:

capture51

On the right, you’ll see you can either Join or Leave a domain, note mine is greyed out as the VCSA has already joined the domain:

capture6

Once done, you’ll need to reboot your appliance for the changes to take effect.

You will now be able to log onto the vCenter using Windows Session credentials, provided the account you’re using has permissions to access the vCenter.


Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.