Error invoking Active Directory tools while adding the Vmware Identity Appliance to a Windows Domain (SKKB1013)

Introduction

In this post we will take a look at common issue you might experience when trying to add/join a VMware Identity Appliance (IDA) to a windows domain. In this case when you try to join the domain you receive an error [Error invoking Active Directory tools.]

 

Lab Environment

The following environment has been used in all of the examples below:

  • Active Directory Domain called vmware.com
  • Windows Server 2012 R2 (with FQDN lan1dc1.vmware.com)
    • Domain Controller
    • DNS Server.
    • PowerShell v4 Host.
    • .NET 4 Framework installed (4.0.30319)
  • Windows Server 2012 R2 (with FQDN lan2dc1.support.vmware.com)
    • Domain Controller
    • DNS Server.
    • PowerShell v4 Host.
    • .NET 4 Framework installed (4.0.30319)
  • Windows Server 2008 R2 SP1 (with FQDN lan1dm1.vmware.com)
    • Domain Member
    • PowerShell v3 Host.
    • .NET 4 Framework installed (4.0.30319)
  • vCO 5.5.1.0 Virtual Appliance (with FQDN vco-a-01.vmware.com)
    • vCO PowerShell Plugin installed (version 1.0.6.2283945)
  • NSX Manager 6.1.0 Virtual Appliance (with FQDN nsxmgr-a-01.vmware.com)

The full lab logical design can be seen HERE.

 

Error

In this case when you try to join the domain you receive an error:

Error invoking Active Directory tools.

In this case you domain controllers might be Windows Server 2008 (R2) or Windows Server 2012 (R2)
If you do an SSH to the IDA and check the messages log you will see output similar to the following:

# ida-a-03:/var/log # cat messages
2015-01-06T13:14:34+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 13449
2015-01-06T13:15:40+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 13652
2015-01-06T13:16:23+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 13810
2015-01-06T13:17:03+02:00 ida-a-03 syslog-ng[1090]: Log statistics; dropped=’pipe(/dev/xconsole)=0′, dropped=’pipe(/dev/tty10)=0′, processed=’center(queued)=602′, processed=’center(received)=433′, processed=’destination(messages)=430′, processed=’destination(mailinfo)=2′, processed=’destination(mailwarn)=1′, processed=’destination(authlog)=9′, processed=’destination(localmessages)=8′, processed=’destination(newserr)=0′, processed=’destination(mailerr)=0′, processed=’destination(warn)=50′, processed=’destination(netmgm)=0′, processed=’destination(cron)=1′, processed=’destination(console)=49′, processed=’destination(null)=0′, processed=’destination(mail)=3′, processed=’destination(xconsole)=49′, processed=’destination(firewall)=0′, processed=’destination(acpid)=0′, processed=’destination(newscrit)=0′, processed=’destination(newsnotice)=0′, processed=’source(src)=433′
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Processing request
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Authenticating with sfcb server.
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info user:root
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Authenticated user: root successfully
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info locale=en-US, id=adJoin, action=submit, controller=<type ‘instance’>
2015-01-06T13:19:10+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 14073
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Executing shell command…
2015-01-06T13:19:41+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 14204
2015-01-06T13:19:41+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: ERROR Error processing request: Error invoking Active Directory tools.
2015-01-06T13:19:41+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: ERROR {}

 

Cause

As it will be made clear later in this post the IDA tries to make 2x SMBv1 connections to the windows active directory domain controller.

 

Workaround

I’m calling this section Workaround as I cannot accept this as a production environment solution, but haven’t found yet why the IDA appliance needs SMBv1 or a better way to make things work

Windows server 2008 and windows Server 2012 comes with accordingly SMBv2 and v3 enabled and SMBv1 installed, but deactivated.

Our goal is not only to activate the SMBv1 but also to make the service load under the Windows Server Service (lanmanServer service). The LanmanServer subkey stores configuration data for the LAN Manager 2. x Server service. The Lan Manager Service is used by samba clients.
As I haven’t found official way how to enable the SMBv1 functionality on Windows Server 2012 R2, but only on R1, things are a bit more complicated.

If you are using a version of Windows between Windows Server 2008 R1 and Windows Server 2012 R2, check the following article on how to enable SMBv1.

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
http://support.microsoft.com/kb/2696547

If you still receive the error proceed further with changing the lanmanserver registry key as described below. 

So to get back to my Windows Server 2012 r2 environment. I first need to make the lanmanserver service be dependent on the Srv Service (SMBv1 service). By default it is dependent only on the Srv2 (SMBv2 Service).

To check the current dependences you might go straight into the registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DependOnService

I will go and change the DependOnService key to Srv instead of Srv2. This will still allow SMbv2 communication as the Srv service is dependent on the Srv2 service:

Now if you haven’t ever used the Windows server 2008 R1 command [Set-SmbServerConfiguration -EnableSMB1Protocol ] to enable or disable SMBv1 on the Windows Server 2012 R2 server, you will not find the SMB1 key under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1

in this case I obviously have run the command and the key I present.
You will also not find the EnableSMB1Protocol and EnableSMB2Protocol values listen when you run the PS command:

PS  > Get-SmbServerConfiguration

If this is the case and you cannot find the SMB1 registry key and the EnableSMB1Protocol value proceed and reboot the server. This changing the lanmanserver service dependences should be enough in this case.

After reboot you should be able to add the Identity appliance to the domain.

If this is not the case and you can find the SMB1 registry key and/or the EnableSMB1Protocol value , you must run the following command to make sure these are set accordingly. This will enable SMBv1:

PS> Set-SmbServerConfiguration -EnableSMB1Protocol $true

You should not see the SMB1 registry key and the EnableSMB1Protocol value as shown in the screenshots above.

Reboot the server. After reboot you should be able to add the Identity appliance to the domain.

Lets see how to test and see that the Identity appliance makes 2 connections to the Windows Domain controller.
While joining the Identitay Appliance to the domain , open a PS window on the domcain controller and run multiple itmes the command until you get any outout:

PS> Get-SmbSession | Select-Object -Property *

You should see output similar to the following. In this example my Identity Appliance has an IP of 192.168.1.17. You can see that it is using SMBv1 by looking at the Dialect value

PS C:\Users\Administrator>  Get-SmbSession | Select-Object -Property *
SmbInstance           : Default
ClientComputerName    : 192.168.1.17
ClientUserName        : VMWARE\ADMINISTRATOR
ClusterNodeName       :
Dialect               : 1.01
NumOpens              : 2
ScopeName             : *
SecondsExists         : 8
SecondsIdle           : 8
SessionId             : 1614907703313
TransportName         : \Device\NetbiosSmb
PSComputerName        :
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbSession
CimInstanceProperties : {ClientComputerName, ClientUserName, ClusterNodeName, Dialect…}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties
SmbInstance           : Default
ClientComputerName    : 192.168.1.17
ClientUserName        : VMWARE\IDA-A-03$
ClusterNodeName       :
Dialect               : 1.01
NumOpens              : 1
ScopeName             : *
SecondsExists         : 7
SecondsIdle           : 7
SessionId             : 1614907703317
TransportName         : \Device\NetbiosSmb
PSComputerName        :
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbSession
CimInstanceProperties : {ClientComputerName, ClientUserName, ClusterNodeName, Dialect…}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties

 

Additional Resources:

Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using?
http://blogs.technet.com/b/josebda/archive/2013/10/02/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-you-are-using.aspx

What’s new in SMB PowerShell in Windows Server 2012 R2
http://blogs.technet.com/b/josebda/archive/2013/09/03/what-s-new-in-smb-powershell-in-windows-server-2012-r2.aspx

SMB3 Secure Dialect Negotiation
http://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

http://support.microsoft.com/kb/2696547

LAN Manager Networking Concepts
http://support.microsoft.com/kb/86899

 

 

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *