Problem Statement
After upgrading to vCenter 5.1 and ESXi 5.1 U1, Active Directory authentication to an ESXi Host no longer works. Using the vSphere Client error message ‘cannot complete login due to incorrect user name or password’ is received.
Quick Checks
1. Single Sign On checked, LDAP Active Directory authentication source working for vCenter and another ESXi Host.
2. Permissions checked, ‘Administrators’ Active Directory Security Group applied to vCenter and permissions propagated to child objects.
3. Authentication Services Services, Active Directory being used and Computer Object is valid.
Troubleshooting Steps
I tried to remove the host from Active Directory and re-authenticate. Hosts and Clusters > Host > Settings > Manage > Authentication Services
An error message appeared stating that ‘the user or group named VMFOCUSdomain^admins does not exist’.
The Permissions tab on the affected ESXi Host didn’t show a VMFOCUSdomain^admins group
I added the VMFOCUSDomain Admins group to the top level and inherited permissions. Another quick try and I wasn’t able to login to the ESXi Host using the vSphere Client.
This time the Leave Domain setting worked. Plus I also deleted the Computer Object for my ESXi Host from Active Directory.
Next, I rejoined the Domain and tried to login directly to the ESXi Host directly using Active Directory credentials, which again failed.
Resolution
I added the Domain Admins group directly to the ESXi Host
When using the vSphere Client I deselected ‘Use Windows session credentials’ and manually entered Administrator and was able to login successfully!
Simple when you know what is causing the issue.
VMFocus 