Category Archives: Authentication

ESXi 4.1 Embedded (Installed on USB, SD, Flash) Does not allow Integrated Authentication to work. Error: gss_acquire_cred failed

I ran into a problem recently when configuring vMA for ESX/ESXi 4.1. I was able to join it, as well as, the ESXi hosts to the domain, but I was unable to log into the ESXi hosts with my AD credentials with either the vMA or the vSphere client. I double checked that my AD account did have Administrator permissions on the hosts, but still I could not log in. I was given the following error by the vSphere Client, as well as the vMA console:

The interesting thing is this: If i manually specified which account to use, instead of checking the box to use the account I was logged in with. I could connect and perform the actions I wanted to do. If I checked the box, then I got the error: “gss_acruire_cred failed”. The was was true with vMA. If I used the –passthroughauth option the command would fail, but if I allowed vMA to prompt me for a username and password the command would succeed. Only Integrated Authentication between windows and the vmware software was failing.

I did some research, and it turns out that when ESXi is installed on USB Drive, or SD card, or flash memory it does not automatically create Persistent Scratch space. This is the space that’s used to store temporary data among other things. This lack of persistent scratch space was somehow effecting the login process, but only when trying to pass credentials from a windows session and not by typing them in manually.

Here is how you can configure Persistent Scratch space on either local storage or a vmfs volume using the vSphere client:

  1. Connect to vCenter Server or the ESXi host using the vSphere Client.
  2. Select the ESXi host in the inventory.
  3. Click the “Configuration” tab.
  4. Click “Storage”.
  5. Right-click a datastore and select “Browse”.
  6. Create a uniquely-named directory for this ESX host (ex. .locker-<ESXHostname> )
  7. Close the Datastore Browser.
  8. Click “Advanced Settings” under “Software”.
  9. Select the “ScratchConfig” section.
  10. Change the ScratchConfig.ConfiguredScratchLocation configuration option, specifying the full path to the directory. For example: /vmfs/volumes/DatastoreName/.locker-<ESXHostname>
  11. Click “OK”.
  12. Put the ESXi host in maintenance mode and reboot for the configuration change to take effect.

Once the host is rebooted you’ll be able to use vMA with the –passthroughauth flag, or login by checking the box on the vSphere client to use the account you’re already logged in with. To read more about this check out this link to VMware’s KB1033696