VMWare View Composer Server can not authenticate to DSFW

The VMWare View Composer Server fails to authenticate to DSFW.  A LAN trace shows a kerberos error "KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN".

The VMWare View Composer Server requests the ticket for the service principal name “ldap/<ip address of DSFW DC>”. If the correct SPN is not returned then the View Composer Servers attempts to authentication using NTLMSSP. By default AD and DSFW do not create a SPN with “ldap/<ip address of DSFW DC>”. DSFW does not support NTLMSSP hence the NTLMSSP exchange does not complete. However, in the case of AD NTLMSSP is supported and hence the LDAP authentication works even when the earlier service ticket retrieval fails because of an incorrect principal name.

Below is an example of a LAN trace.

Starting with OES11SP2 NTLMSSP (NTLM over LDAP) is supported.
Upgrade all DSfW servers to OES11SP2 and enable NTLM over ldap when running the "Feature Provisioning Wizard".

For OES11SP1 or earlier DSfW servers do the following:
VMware View Composer Server does not use the standard service name format "ldap/<hostname of DSFW DC>" we need to create a SPN with the format View Composer Server is requesting "ldap/<ip address of DSFW DC>".

To create the SPN the View Composer Server is looking for:

1. Edit the Domain Controller object using iManager or ConsoleOne
2. The DC object is the name of the DSFW server and is present in "ou=domain controllers,<dc=...>".
3. Go to the other tab and edit the servicePrinciplaName attribute.
4. Add ldap/<ipaddress> attribute value on the servicePrincipalName attribute
5. Restart the DSFW serverices “xadcntrl reload”