How to login to VMware vSphere client with Windows session credentials
Need some help here, please. I logged in to vSphere as root and manually created a username matching my Windows domain username and password, but it didn’t work. Also tried setting it as «Domain\Username» but that didn’t work either. I’ve found these VMware articles, but they haven’t helped:
N/A, the only web client I can see is the start page (IP of the ESXi server, with https:// prefix)
Again, we have no web-client to speak of.
The code referenced in VpxClient.exe.config file does not exist. Instructions are obsolete with current version, I suspect.
Where have I gone wrong?
So I found I had to reboot my host after adding it to the domain to get it to see the domain controllers.There may be specific services you just need to restart but I don’t know them so I just rebooted it when no one was in the office. After that you should see domain controllers listed under authentication services in the client and in the drop down in permissions. It may be possible that you can add domain users without needing to reboot, I didn’t try. Just type in the Users box for permissions using DOMAIN\user format and it works for me. The browser doesn’t seem to see many of the accounts.
Also check your DNS pointers. Joining it to the domain did not create DNS entries like it normally should and these are required from what I can tell to use the windows session.
After you reboot though, even if you don’t get the windows session thing to work DOMAIN\user in the user field and your AD password will log you into the client
I’ve used the SanDisk and the Kingston and didn’t have any issues.
I have used a couple different ones, SanDisk, Verbatim.
16 Replies
idk if this helps, but our hosts are not on the domain so that’s why you cant get to them through vsphere w/ domain credentials. If i use vsphere to get to them individually i have to use root or another local admin. If I get to our VC, that i can use domain creds but that’s a server on the domain so.
I dont think you can pass them through unless your hosts are on the domain.
Yes, just found this:
Are you trying to connect to the host or the vcenter server?
Nice find, I knew it had something to do with domain.
I am the only one that does any vmware related stuff here, but i suppose it’d still be nice of me to set this up.
Do you have the version?
But have you gone into vSphere Client then Configuration > Software > Authentication Services?
Are you trying to connect to the host or the vcenter server?
As far as I know, we don’t have vCenter server. We are using the free version of ESXi.
I’ve joined the ESXi host machine to our domain, but when I try to add permissions for my Domain Account, I can’t change from the local ESXi machine «(server)» to our Domain:
Are you trying to connect to the host or the vcenter server?
As far as I know, we don’t have vCenter server. We are using the free version of ESXi.
I’ve joined the ESXi host machine to our domain, but when I try to add permissions for my Domain Account, I can’t change from the local ESXi machine «(server)» to our Domain:
Do you have the version?
But have you gone into vSphere Client then Configuration > Software > Authentication Services?
ESXi 5.5, free licensed version. Just joined the hypervisor to the domain, yes.
You don’t want to create a logon manually if you plan to pull credentials from AD, because you’ll also want to use AD security groups to manage your access roles. The less you keep local to vSphere the better.
In the first article it describes resetting the connection to AD. After you did so and tested it, did you delete the local login that you created manually?
I deleted the local login, but I am stuck on this step (from the 1st link.
We don’t have a » vSphere Web Client» or if we do, I don’t know how to access it. The IP of the hypervisor only gives me the welcome page.
Just found out why I can’t use the web-client:
«Free ESXi vSphere Client is the only way to manage the ESXi host»
Is there any way to perform the steps in this VMware article in the vSphere Client instead of the web-client??
So I found I had to reboot my host after adding it to the domain to get it to see the domain controllers.There may be specific services you just need to restart but I don’t know them so I just rebooted it when no one was in the office. After that you should see domain controllers listed under authentication services in the client and in the drop down in permissions. It may be possible that you can add domain users without needing to reboot, I didn’t try. Just type in the Users box for permissions using DOMAIN\user format and it works for me. The browser doesn’t seem to see many of the accounts.
Also check your DNS pointers. Joining it to the domain did not create DNS entries like it normally should and these are required from what I can tell to use the windows session.
After you reboot though, even if you don’t get the windows session thing to work DOMAIN\user in the user field and your AD password will log you into the client
So I found I had to reboot my host after adding it to the domain to get it to see the domain controllers.There may be specific services you just need to restart but I don’t know them so I just rebooted it when no one was in the office. After that you should see domain controllers listed under authentication services in the client and in the drop down in permissions. It may be possible that you can add domain users without needing to reboot, I didn’t try. Just type in the Users box for permissions using DOMAIN\user format and it works for me. The browser doesn’t seem to see many of the accounts.
Also check your DNS pointers. Joining it to the domain did not create DNS entries like it normally should and these are required from what I can tell to use the windows session.
After you reboot though, even if you don’t get the windows session thing to work DOMAIN\user in the user field and your AD password will log you into the client
Thank you, rebooting the ESXi server did the trick. I was not able to just tick the «use Windows session credentials» box and login, but typing my Domain username & password worked. I had pre-made the «ESX Admins» group (via instructions on another site) and the server found that group and added the permissions for it as Administrators, I didn’t even have to manually do it.
I’m still getting this one error, and this is likely what is preventing the tick-box from working: Call «UserDirectory.RetrieveUserGroups» for object «ha-user-directory» on ESXi «(host IP here)» failed. Any last ideas on this? I can live with it if I have to, but I’m a purist. 🙂
So I found I had to reboot my host after adding it to the domain to get it to see the domain controllers.There may be specific services you just need to restart but I don’t know them so I just rebooted it when no one was in the office. After that you should see domain controllers listed under authentication services in the client and in the drop down in permissions. It may be possible that you can add domain users without needing to reboot, I didn’t try. Just type in the Users box for permissions using DOMAIN\user format and it works for me. The browser doesn’t seem to see many of the accounts.
Also check your DNS pointers. Joining it to the domain did not create DNS entries like it normally should and these are required from what I can tell to use the windows session.
After you reboot though, even if you don’t get the windows session thing to work DOMAIN\user in the user field and your AD password will log you into the client
Thank you, rebooting the ESXi server did the trick. I was not able to just tick the «use Windows session credentials» box and login, but typing my Domain username & password worked. I had pre-made the «ESX Admins» group (via instructions on another site) and the server found that group and added the permissions for it as Administrators, I didn’t even have to manually do it.
Can’t login using Windows Session Credentials – VCSA (vSphere 6)
Quite a few things seem to have changed with the VCSA in vSphere 6. The most obvious change is that the appliance is no longer deployed as an OVA / OVF template but rather from an ISO image.
As part of deploying the ISO, you’ll be prompted to put in your settings for the vCenter before it’s even powered on. This can be quite tricky to get right the first time – so make sure you have created the relevant DNS records on your DNS servers and configured your VM network on the chosen host for initial deployment.
Setting up SSO for your Windows Domain is exactly the same, however when ticking the “Use Windows Session Credentials” box you will see the following error:
“Window session credentials cannot be used to log into this server. Enter a user name and password”
There are already various guides which point you to the /etc/nsswitch.conf file. This needs to be edited using VI on the VCSA itself. To do so, open a console to the VCSA and enable SSH and BASH Shell by going to Troubleshooting Mode Options.
Open an SSH session to your appliance using a remote terminal application of your choice (I use good old PuTTY).
NOTE: If you see Command> on the prompt, you’ll need to move into Shell mode by typing “shell” and pushing enter.
We’re about to edit the nsswitches.conf file – make sure you know how to edit and save changes before you start.
Use the following command to edit the conf file:
vi /etc/nsswitch.conf
Once in the file, push to go into Edit / Insert mode.
At the end of the passwd: compat ato line, add lsass.
Push ESC to exit Insert mode, then semi colon : to issue your next command. In this case, we want to write changes and exit the file – wq.
Confusingly – according to VMware, if the word lsass is already present, you should remove it.
At this point, logging into the server using Windows Session Credentials still won’t work. You now need to add the VCSA to the domain, which was previously done from the vCenter Appliance Management Interface (VAMI).
To join the VCSA to the domain, you need to log into the Web Client (https:// [VCSA IP or hostname]/vsphere-client
Go to Administration from the home page:
Go to System Configuration:
Click Nodes -> Choose your VCSA, click Manage and then Active Directory:
On the right, you’ll see you can either Join or Leave a domain, note mine is greyed out as the VCSA has already joined the domain:
Once done, you’ll need to reboot your appliance for the changes to take effect.
You will now be able to log onto the vCenter using Windows Session credentials, provided the account you’re using has permissions to access the vCenter.