Introduction
In this post we will take a look at common issue you might experience when trying to add/join a VMware Identity Appliance (IDA) to a windows domain. In this case when you try to join the domain you receive an error [Error invoking Active Directory tools.]
Lab Environment
The following environment has been used in all of the examples below:
- Active Directory Domain called vmware.com
- Windows Server 2012 R2 (with FQDN lan1dc1.vmware.com)
- Domain Controller
- DNS Server.
- PowerShell v4 Host.
- .NET 4 Framework installed (4.0.30319)
- Windows Server 2012 R2 (with FQDN lan2dc1.support.vmware.com)
- Domain Controller
- DNS Server.
- PowerShell v4 Host.
- .NET 4 Framework installed (4.0.30319)
- Windows Server 2008 R2 SP1 (with FQDN lan1dm1.vmware.com)
- Domain Member
- PowerShell v3 Host.
- .NET 4 Framework installed (4.0.30319)
- vCO 5.5.1.0 Virtual Appliance (with FQDN vco-a-01.vmware.com)
- vCO PowerShell Plugin installed (version 1.0.6.2283945)
- NSX Manager 6.1.0 Virtual Appliance (with FQDN nsxmgr-a-01.vmware.com)
The full lab logical design can be seen HERE.
Error
In this case when you try to join the domain you receive an error:
Error invoking Active Directory tools.
In this case you domain controllers might be Windows Server 2008 (R2) or Windows Server 2012 (R2)
If you do an SSH to the IDA and check the messages log you will see output similar to the following:
# ida-a-03:/var/log # cat messages
2015-01-06T13:14:34+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 13449
2015-01-06T13:15:40+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 13652
2015-01-06T13:16:23+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 13810
2015-01-06T13:17:03+02:00 ida-a-03 syslog-ng[1090]: Log statistics; dropped=’pipe(/dev/xconsole)=0′, dropped=’pipe(/dev/tty10)=0′, processed=’center(queued)=602′, processed=’center(received)=433′, processed=’destination(messages)=430′, processed=’destination(mailinfo)=2′, processed=’destination(mailwarn)=1′, processed=’destination(authlog)=9′, processed=’destination(localmessages)=8′, processed=’destination(newserr)=0′, processed=’destination(mailerr)=0′, processed=’destination(warn)=50′, processed=’destination(netmgm)=0′, processed=’destination(cron)=1′, processed=’destination(console)=49′, processed=’destination(null)=0′, processed=’destination(mail)=3′, processed=’destination(xconsole)=49′, processed=’destination(firewall)=0′, processed=’destination(acpid)=0′, processed=’destination(newscrit)=0′, processed=’destination(newsnotice)=0′, processed=’source(src)=433′
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Processing request
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Authenticating with sfcb server.
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info user:root
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Authenticated user: root successfully
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info locale=en-US, id=adJoin, action=submit, controller=<type ‘instance’>
2015-01-06T13:19:10+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 14073
2015-01-06T13:19:10+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: info Executing shell command…
2015-01-06T13:19:41+02:00 ida-a-03 lsassd[2907]: 0x7fd845338700:Failed to run provider specific request (request code = 8, provider = ‘lsa-activedirectory-provider’) -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 14204
2015-01-06T13:19:41+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: ERROR Error processing request: Error invoking Active Directory tools.
2015-01-06T13:19:41+02:00 ida-a-03 vami /opt/vmware/share/htdocs/service/sso/config-page.py: ERROR {}
Cause
As it will be made clear later in this post the IDA tries to make 2x SMBv1 connections to the windows active directory domain controller.
Workaround
I’m calling this section Workaround as I cannot accept this as a production environment solution, but haven’t found yet why the IDA appliance needs SMBv1 or a better way to make things work
Windows server 2008 and windows Server 2012 comes with accordingly SMBv2 and v3 enabled and SMBv1 installed, but deactivated.
Our goal is not only to activate the SMBv1 but also to make the service load under the Windows Server Service (lanmanServer service). The LanmanServer subkey stores configuration data for the LAN Manager 2. x Server service. The Lan Manager Service is used by samba clients.
As I haven’t found official way how to enable the SMBv1 functionality on Windows Server 2012 R2, but only on R1, things are a bit more complicated.
If you are using a version of Windows between Windows Server 2008 R1 and Windows Server 2012 R2, check the following article on how to enable SMBv1.
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
http://support.microsoft.com/kb/2696547
If you still receive the error proceed further with changing the lanmanserver registry key as described below.
So to get back to my Windows Server 2012 r2 environment. I first need to make the lanmanserver service be dependent on the Srv Service (SMBv1 service). By default it is dependent only on the Srv2 (SMBv2 Service).
To check the current dependences you might go straight into the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DependOnService
I will go and change the DependOnService key to Srv instead of Srv2. This will still allow SMbv2 communication as the Srv service is dependent on the Srv2 service:
Now if you haven’t ever used the Windows server 2008 R1 command [Set-SmbServerConfiguration -EnableSMB1Protocol ] to enable or disable SMBv1 on the Windows Server 2012 R2 server, you will not find the SMB1 key under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
in this case I obviously have run the command and the key I present.
You will also not find the EnableSMB1Protocol and EnableSMB2Protocol values listen when you run the PS command:
PS > Get-SmbServerConfiguration
If this is the case and you cannot find the SMB1 registry key and the EnableSMB1Protocol value proceed and reboot the server. This changing the lanmanserver service dependences should be enough in this case.
After reboot you should be able to add the Identity appliance to the domain.
If this is not the case and you can find the SMB1 registry key and/or the EnableSMB1Protocol value , you must run the following command to make sure these are set accordingly. This will enable SMBv1:
PS> Set-SmbServerConfiguration -EnableSMB1Protocol $true
You should not see the SMB1 registry key and the EnableSMB1Protocol value as shown in the screenshots above.
Reboot the server. After reboot you should be able to add the Identity appliance to the domain.
Lets see how to test and see that the Identity appliance makes 2 connections to the Windows Domain controller.
While joining the Identitay Appliance to the domain , open a PS window on the domcain controller and run multiple itmes the command until you get any outout:
PS> Get-SmbSession | Select-Object -Property *
You should see output similar to the following. In this example my Identity Appliance has an IP of 192.168.1.17. You can see that it is using SMBv1 by looking at the Dialect value
PS C:\Users\Administrator> Get-SmbSession | Select-Object -Property *
SmbInstance : Default
ClientComputerName : 192.168.1.17
ClientUserName : VMWARE\ADMINISTRATOR
ClusterNodeName :
Dialect : 1.01
NumOpens : 2
ScopeName : *
SecondsExists : 8
SecondsIdle : 8
SessionId : 1614907703313
TransportName : \Device\NetbiosSmb
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbSession
CimInstanceProperties : {ClientComputerName, ClientUserName, ClusterNodeName, Dialect…}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
SmbInstance : Default
ClientComputerName : 192.168.1.17
ClientUserName : VMWARE\IDA-A-03$
ClusterNodeName :
Dialect : 1.01
NumOpens : 1
ScopeName : *
SecondsExists : 7
SecondsIdle : 7
SessionId : 1614907703317
TransportName : \Device\NetbiosSmb
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbSession
CimInstanceProperties : {ClientComputerName, ClientUserName, ClusterNodeName, Dialect…}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
Additional Resources:
Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using?
http://blogs.technet.com/b/josebda/archive/2013/10/02/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-you-are-using.aspx
What’s new in SMB PowerShell in Windows Server 2012 R2
http://blogs.technet.com/b/josebda/archive/2013/09/03/what-s-new-in-smb-powershell-in-windows-server-2012-r2.aspx
SMB3 Secure Dialect Negotiation
http://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
http://support.microsoft.com/kb/2696547
LAN Manager Networking Concepts
http://support.microsoft.com/kb/86899