I am currently working for a large client that has multiple vCenters. The environment consists of three vCenters all with external PSCs. I am helping the client build out a new datacenter and it’s to the point where we can deploy a new vCenter and external PSC for this site. After deploying the VCSA and an external PSC for this site, I configured everything such as NTP, authentication, made sure DNS servers were all correct..etc. Signed into the new vCenter and verified authentication was working as intended.
Now for the fun part…
I noticed that logging into the web client, thick client or even PowerCLI with cached credentials (the check box use windows session credentials) would result in an error. PowerCLI would do something a little different and prompt for credentials which didn’t make sense because if I typed out my credentials, it logged me in just fine.
This became problematic because we wanted to run scripts such as vCheck and couldn’t because the prompt for credentials would interrupt the script. After doing some troubleshooting, I noticed that in this new site, the PSC was the only thing joined to the domain. Makes sense, since it handles authentication, right? Well, not exactly. It turns out, that the vCenter appliance needs to join the domain as well and this is required in order to allow cached credentials to work.
Normally, this would be configured in the web client. I logged into the web client and also the vCenter management page (port 5480) and couldn’t find how to join it to the domain. In the web client, I navigated to Administration -> System Configuration -> Nodes. Clicking the PSC node, shows me a tab for Active Directory.
This appeared to be configured correctly. Clicking the vCenter node did not display an AD tab.
I did some googling and found this KB Article :
The option to join vCenter Server Appliance 6.x to an Active Directory domain is unavailable in the vSphere Web Client (2118543)
This fit my deployment as we have an external PSC for each vCenter. I was able to join my VCSA appliance to AD which ultimately corrected the cached credential issue. You can follow that KB article or to save you time, here’s the steps below.
- SSH into your vCenter appliance.
- If needed, type shell or enable it first.
- Before joining the vCenter to the domain, check to make sure NTP and DNS are configured correctly.
- Type date to ensure you have the correct time and date on the appliance.
- Type cat /etc/resolv.conf
You should see something like this :
root@nyvc01 [ / ]# cat /etc/resolv.conf
# This file is managed by systemd-resolved(8). Do not edit.
# Third party programs must not access this file directly, but
# only through the symlink at /etc/resolv.conf. To manage
# resolv.conf(5) in a different way, replace the symlink by a
# static file or a different symlink.
6. Assuming time/date and DNS configuration looks good we can proceed.
7. To join the vCenter appliance to the domain, type
/opt/likewise/bin/domainjoin-cli join DOMAIN.LOCAL administrator password
You should see results similar to this :
root@nyvc01 [ ~ ]# /opt/likewise/bin/domainjoin-cli join virtualizeme.net administrator password
Joining to AD Domain: virtualizeme.net
With Computer DNS Name: nyvc01.virtualizeme.net
8. Reboot both the PSC and vCenter appliances.
9. Try logging in with cached credentials. It should work now!
I hope you’ve found this helpful.
Ran into this issue as well. Solved with your post. Thanks!