VxRail: Authentication Failure of Active Directory user after upgrade to VxRail 4.7.x from VxRail 4.5.x or 4.0.x with message of "Native platform error [code: 851968]" : Constor Solutions Limited

VxRail: Authentication Failure of Active Directory user after upgrade to VxRail 4.7.x from VxRail 4.5.x or 4.0.x with message of "Native platform error [code: 851968]" Print

Created by: Srinath Ramachandran

Modified on: Mon, 21 Sep, 2020 at 11:22 AM

Summary: After major upgrade from earlier vxrail, it is needed to rejoin active directory again. Or AD user fails to login, showing Invalid Credential.[Native platform error [code: 851968]]

Article Content

Issue	Authentication failure detected for AD user after VxRail upgrade. In PSC, you can see following error messages in /var/log/vmware/sso/vmware-identity-sts.log [2020-01-23T01:33:24.427Z tomcat-http--4 vsphere.local d2739667-060b-4136-a49d-a0c490735ced INFO com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [aduser@EXAMPLE] in tenant [vsphere.local] in [32] milliseconds with provider [sample.ad-domain.example] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] [2020-01-23T01:33:24.427Z tomcat-http--4 vsphere.local d2739667-060b-4136-a49d-a0c490735ced ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginExcep tion: Native platform error [code: 851968][null][null]' com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968][null][null]
Cause	If a VxRail Supplied PSC has already joined to an AD domain, you might run into an issue when the AD user tries to login the VxRail vCenter Server after a VxRail upgrade. It is possible that a new VxRail Supplied vCSA VM and PSC VM are deployed during the upgrade. That means new guest OS s are running on these VMs. When AD users attempt to login to vCenter Server, they might experience errors. If that happens, the solution would be to remove the PSC from the Active Directory domain and then rejoin PSC to the AD domain. https://support.emc.com/docu91266_Joining-VxRail-Supplied-vCSA-and-PSC-to-Active-Directory-Tech-Note.pdf
Resolution	VC/PSC needs to leave and join Active directory again. *** For VxRail using Internal VCSA, only PSC needs to rejoin. Procedure 1. Log in to the Platform Services Controller Appliance as root and activate the bash shell. 2. Leave the domain by running the /opt/likewise/bin/domainjoin-cli leave command. 3. Reboot the appliance. 4. Delete the computer account on the Active Directory. 5. Log in to the appliance again and enable the bash shell. 6. Join to the domain by running the following command /opt/likewise/bin/domainjoin-cli join domain-name domain_admin_user for example: /opt/likewise/bin/domainjoin-cli join vmware.com administrator 7. Reboot the Platform Services Controller Appliance.
Notes	Other reference: Vmware doc Unable to Log In Using Active Directory Domain Authentication https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-8C553435-27CD-4410-ACA9-9A84EA1D7334.html Suppoted AD function level matrix for vSphere https://kb.vmware.com/s/article/2071592

S

Srinath is the author of this solution article.

Did you find it helpful? Yes No

Help Desk Software by Freshdesk