While this is probably not going to be a common problem to many administrators out there, I figure I’d blog this issue I encountered today in case I come across it again.
You have just completed installing the second vCenter which you configured to be in Linked Mode with another vCenter. I’m logged into the 2nd node with my domain admin account and I use the Use Windows session credentials option to log in:
I’m able to launch vCenter without any issues and can see both vCenters configured in Linked Mode:
I switch over to node 1 and log into vCenter Windows server using the vCenter service account I run the service with, then log into vCenter Use Windows session credentials option to log in:
… but receive the following message:
There are issues with communication with the following vCenter server(s):
<your2ndNodevCenterFQDN>: Failure to authenticate with the server
Before I explain the reason why I ran into this issue, it’s important to note that when you log into a vCenter that is configured with another vCenter in Linked Mode, the vCenter you successfully log into actually uses the same credentials you logged in with to authenticate with the other vCenter. With this in mind, I immediately knew that there was something wrong with the account I used to log into node 1 which was the vCenter service account. To make a long story short, the reason why I received this message was because the vCenter service account did not have permissions to the newly deployed node 2 and it’s because of the following reason:
During the install of vCenter on node 2, I specified the Domain Admins group to be an administrator:
So when node 2 completed the install, the only group who had permissions to the vCenter was Domain Admins and my vCenter service account is a local administrator but is not a part of and would never be that group:
Some might wonder why I didn’t grant the Local Administrators group permissions to the vCenter instead and the reason why is because Single Sign-on (SSO) Multisite configurations does not support local accounts.
The fix is easy, simply grant the service account permissions to the vCenter or log in with your domain administrator account.