How to get "Use Windows session" Checkbox to work in VCSA6

You've just installed vSphere 6 vCenter Server Appliance (VCSA) and want to use the "Use Windows session authentication/credentials" checkbox like you know it from the vCenter Server running on a Windows Server?

You've already added an Active Directory as Identity source, and you can login with AD users, but the "Use Windows session authentication/credentials" still does not work?

You see the following error messages in the vSphere Client:
Windows session credentials cannot be used to log into this server.
windows-session-credentials-cannot-be-used

Or in the vSphere Web Client (If the checkbox is greyed out, install the Client Integration Plugin from the bottom of the login page):
Incorrect username/password
vsphere-web-client-incorrect-password

This post explains how to get the "Use Windows session" checkbox to work

To properly handle sessions, the vCenter Server Appliance has to be joined to the Active Directory, like you would do with Windows member servers. This applies to both deployment scenarios - vCenter with embedded PSC and vCenter with external PSC. All systems (or nodes) must be part of the the Active Directory.

  1. Open vSphere Web Client (https://[vcenter]/vsphere-client)
  2. Login as Single Sign-On Administrator (Password set during installation)
  3. Navigate to Administration > Deployment > System Configuration
    vsphere60-web-client-administration vsphere60-web-client-system-configuration
  4. Open Nodes and select your system
    vsphere60-web-client-infrastructure-node-config
  5. Navigate to Manage > Advanced > Active Directory
    vsphere60-web-client-infrastructure-node-join-ad
  6. Click Join...
    vsphere60-web-client-infrastructure-node-join-button
  7. Enter AD domain information
    vsphere60-web-client-join-domain
  8. Press OK
  9. Repeat Step 4-8 for all nodes
  10. Reboot the Appliance

If this does not work for any reason, you can also join the Active Directory from the command line:

  1. SSH to your VCSA (Hint: If SSH is disabled: vSphere Web Client > Administration > System Configuration > Nodes > Manage > Settings > Access > Enable SSH)
  2. Login as root
  3. Launch BASH
    Command> shell.set --enabled True
    Command> shell
  4. Join the Active Directory Domain (domainjoin-cli join [domain] [domain admin]
    # /opt/likewise/bin/domainjoin-cli join virten.lab administrator
  5. Reboot the Appliance

Depending on your Active Directory configuration there might be an issue with the NSS configuration. If you still can't "Use Windows session credentials", try to enable Local Security Authority Subsystem Service (LSASS) in the NSS configuration:

  1. SSH to your VCSA
  2. Login as root
  3. Open the /etc/nsswitch.conf file using a text editor
  4. Locate the passwd: compat ato entry
  5. Replace it with passwd: compat ato lsass
  6. Reboot the Appliance
  7. If it does not work, wait 15 minutes and try again

 

  1. Amazingly helpful!!! Thanks so much for this article!!! I was informed by EMC professional services that this wasn't possible and a VMware KB states this is a "known issue" with no resolution since 2015.
    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2119332

    If VMware isn't paying you fgrehl, they should be.

  2. I can confirm that this procedure was required for IWA (Integrated Windows Authentication) to work with the Web client with VCSA version 6.5 as well. vSphere 6.5 deprecated the use of the vSphere client and it is Web Client access only.

    Thanks for your help!

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>