6.5u1 SMB1 issue with causes the AD authentication issue.

We had the AD authentication issue from the ESXi 6.5 U1 and tried various method mentioned in my previous blog but it got failed with all the options.

Below is the error while trying to connect the host from the domainjoin-cl cmd.

Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

Finally VMware engineering team has confirmed that the issue is because  of certain limitations in software that are affecting in the process of joining hosts to Domain.


Basically, smb1 must be enabled in DC in order to connect ESXi hosts to domain.
============
According to release notes for 6.5U1, SMB2 is supported.
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-651-release-notes.html

Yes, SMB2 is supported from 6.5u1 onward but the initial SMB packet negotiation
request always happen over SMB1 packet. If SMB2 is enabled on both AD and the
host, then the negotiation switches to SMB2 otherwise it negotiates through SMB
packets only.
So if SMB1 is disabled on the domain controller then it would prevent the
initial packet negotiation, thus causing SMB packet drops and eventually domain
join failure with error ERROR_GEN_FAILURE.

From 6.7u2, we'll be supporting initial packet negotiation with SMB2 by default
instead of SMB1, thus disabling SMB1 completely.
============

We have also tried the option by selecting the preferred AD server option which is already enabled with  SMB1 , still we were not able to join in domain and got the update from the VMware as below..

"preferred server" option does not specifically imply that the connection will go through the server specified, but it's just a reference in case it is under the servers reported.
It seems like our only option would be enable SMB1 on the AD servers,

So, basically we cant be able to join these hosts to AD domain unless SMBv1 is enabled. Otherwise, we need to Wait for 6.7 U2 release.

This entry was posted in ESXi issue, Vcenter Appliance, vCSA 6.0, VCSA6.5, VMware and tagged , , , , , , . Bookmark the permalink.

1 Response to 6.5u1 SMB1 issue with causes the AD authentication issue.

  1. Pingback: Bug in VCSA 6.5 U1U2 which failed with invalid credentials on AD authentication | Techbrainblog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s