How to get “Use Windows session” Checkbox to work in VCSA6

You’ve just installed vSphere 6 vCenter Server Appliance (VCSA) and want to use the “Use Windows session authentication/credentials” checkbox like you know it from the vCenter Server running on a Windows Server?

You’ve already added an Active Directory as Identity source, and you can login with AD users, but the “Use Windows session authentication/credentials” still does not work?

You see the following error messages in the vSphere Client:
Windows session credentials cannot be used to log into this server.

Or in the vSphere Web Client (If the checkbox is greyed out, install the Client Integration Plugin from the bottom of the login page):
Incorrect username/password

This post explains how to get the “Use Windows session” checkbox to work

To properly handle sessions, the vCenter Server Appliance has to be joined to the Active Directory, like you would do with Windows member servers. This applies to both deployment scenarios – vCenter with embedded PSC and vCenter with external PSC. All systems (or nodes) must be part of the the Active Directory.

  1. Open vSphere Web Client (https://%5Bvcenter%5D/vsphere-client)
  2. Login as Single Sign-On Administrator (Password set during installation)
  3. Navigate to Administration > Deployment > System Configuration
    vsphere60-web-client-administration vsphere60-web-client-system-configuration
  4. Open Nodes and select your system
  5. Navigate to Manage > Advanced > Active Directory
  6. Click Join…
  7. Enter AD domain information
  8. Press OK
  9. Repeat Step 4-8 for all nodes
  10. Reboot the Appliance

If this does not work for any reason, you can also join the Active Directory from the command line:

  1. SSH to your VCSA (Hint: If SSH is disabled: vSphere Web Client > Administration > System Configuration > Nodes > Manage > Settings > Access > Enable SSH)
  2. Login as root
  3. Launch BASH
    Command> shell.set --enabled True
    Command> shell
  4. Join the Active Directory Domain (domainjoin-cli join [domain] [domain admin]
    # /opt/likewise/bin/domainjoin-cli join virten.lab administrator
  5. Reboot the Appliance

Depending on your Active Directory configuration there might be an issue with the NSS configuration. If you still can’t “Use Windows session credentials”, try to enable Local Security Authority Subsystem Service (LSASS) in the NSS configuration:

  1. SSH to your VCSA
  2. Login as root
  3. Open the /etc/nsswitch.conf file using a text editor
  4. Locate the passwd: compat ato entry
  5. Replace it with passwd: compat ato lsass
  6. Reboot the Appliance
  7. If it does not work, wait 15 minutes and try again

Credit to: fgrehl



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s