Joining ESXi hosts to AD using Authentication Proxy in vCenter 7 (updated 04-12-2020)
When you want to use named accounts for managing your ESXi hosts, you can join your hosts to Active Directory. So you go to the host in vCenter, click on Configure, Authentication Services, and click on Join Domain… There you can enter the name of the Active Directory domain and the credentials for joining the host to AD. But what if you need to do that for more than 150 hosts?
You can use a Host Profile and configure the domain settings in that profile. But if you want a method for which you don’t have to enter credentials, you must use the option “Use vSphere Authentication Proxy to add the host to domain”. So the first step is to configure the vSphere Authentication Proxy.
The vSphere Authentication Proxy is a service that is automatically installed on a vCenter 7 appliance, but it is not running by default. Open the VAMI of the appliance and go to the Services section. Select the VMware vSphere Authentication Proxy service, and click on Start.
You might have noticed that the Startup Type of the service is Manual and there is no option to change it to Automatic. Well, not in the GUI. But you can change it on the command line.
Start an SSH session to the appliance and type the following command.
vmon-cli --status vmcam
You can see that the service is started but the Starttype is MANUAL. Now type the next command.
vmon-cli --starttype AUTOMATIC --update vmcam
The Starttype should now be changed. You can check that by entering the first command once more.
vmon-cli --status vmcam
Now the service is started and will automatically start when the appliance is rebooted.
Now you can configure the Authentication Proxy.
Open the vSphere Client, select your vCenter and click on Configure, Authentication Proxy. Then click on Edit.
Enter the credentials of an AD account. I gave this account Full Control permissions on all Computer objects in AD. This works for me but you could limit this to the default Computers container in AD.
Now you might think you’re ready for joining your host to AD but I had to import the certificate of the proxy to the ESXi host first. However, I’m not sure if this is a prerequisite for every environment.
You can find the certificate on the appliance in the folder /var/lib/vmware/vmcam/ssl. The file name is rui.crt. Save this file to a location that is accessible for your host.
Now go to the host in vCenter, click on Configure, Authentication Services, and click on Import Certificate.
As you can see I saved the certificate on a datastore DS-iSCSI1 and in a folder temp. The IP address is the IP address of my vCenter appliance.
Now you can join the host to the domain…
The only thing you need is the name of the domain and the IP address of the vCenter Authentication Proxy…
If you want your hosts to be added in a specific OU inside Active Directory, you can specify the Domain as <domain>/<OU>/<OU>.
I tried above steps at a customer site but joining a host to AD using the Authentication Proxy didn’t work. However, when I tried to join the host directly to AD it did work. So for some reason the Authentication Proxy was not doing its job.
I looked at the log file (/var/log/vmware/vmcamd/vmcamd-syslog.log) and I saw the following error:
Exceptions in CAMAdapterMainLoop: SSL Exception: Verification parameters: PeerThumbprint: C6:A2:0B:3F:8F:BF:38:C1:DA:5A:AA:46:DD:5C:99:AA:26:FF:F2:7E ExpectedThumbprint: FB:95:60:97:05:9D:AC:CD:9F:16:A3:7B:B8:E1:51:77:92:DA:81:B1 ExpectedPeerName: <vCenter host name> The remote host certificate has these problems: self signed certificate in certificate chain
The PeerThumbPrint was the thumbprint of the SSL certificate of the vCenter appliance. So for some reason, the ExpectedThumbPrint was different. I believe this is because the SSL certificate of the vCenter appliance was changed.
The thumbprint of the vCenter certificate is stored in the file /var/lib/vmware/vmcam/ssl/vcthumbprint. After I changed the thumbprint in this file and restarted the vCenter Authentication Proxy service the error was gone.
But I still could not use the Authentication Proxy. However, the error I now received was a bit different. In the hostd.log of the host (/var/log/hostd.log) I got this error:
error hostd CamHttpQueryDomainInfo: 1460 --> error hostd vmwauth Exception: Exception 0x0000274c: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
So now the Authentication Proxy is working but cannot be contacted by the host. The reason for this? A missing firewall rule!
If you go to https://configmgr.nl/2020/11/19/network-port-diagram-vsphere/ and search for “Authentication Proxy” you can see that the Authentication Proxy uses port 51915. And this port was not opened in the firewall… After adding a rule every issue was solved!