Issue: User unable to connect to newly provisioned VM.
Error: SSL: No authority could be contacted for authentication. The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure. (Code: 6151)
Scenario: We have seen this error when a Virtual machine (VM) has lost connectivity with the Domain Controller as a result failing to authenticate user. However, one of our customer has observed a corner case for this error.
A customer provisioned a pool from Workspot Control using a 15-character VM naming convention (ABCD-EFG-HIJK-x). Initially, VMs were created with single-digit serial numbers (e.g., ABCD-EFG-HIJK-1, ABCD-EFG-HIJK-2, ABCD-EFG-HIJK-3). However, after multiple deletions and re-creations of desktops, the serial numbers reached double digits, exceeding the 15-character limit (ex: ABCD-EFG-HIJK-11).
While the Workspot Cloud-Pool successfully deployed the VMs, the machine names surpassed Active Directory's 15-character hostname limit. As a result, only the first 15 characters were retained when adding the desktops to the domain, causing the last character to be truncated. Active Directory Hostname Limitation: According to Microsoft’s naming conventions for computer domain names, the NetBIOS computer name (which is used for domain joins) should not exceed 15 characters. Any hostname longer than this will result in issues when trying to join the machine to a domain. You can find more information on this limitation here.
Error: The NetSetup.log file (C:\Windows\debug\NetSetup.log) records domain join attempts and authentication-related errors. Customers may see, Error Code: 0x525 (ERROR_NO_SUCH_USER) in the log, indicating one of the reasons:
The computer account does not exist in Active Directory.
The domain controller (DC) cannot find a matching account due to the name truncation.
The machine may be attempting to authenticate with a name different from its actual AD object.
Root Cause Investigation:
The pool was configured to allow single-digit suffixes, but no restriction was placed on the number of digits used. As a result, the naming sequence continued beyond "ABCD-EFG-HIJK-9," leading to unintended behaviour in the Workspot Pool configuration.
Although the customer initially selected a single-digit suffix, the system permitted the creation of VM names exceeding the intended character limit, ultimately causing conflicts with Active Directory's 15-character hostname restriction.
In such scenario, an Administrator can Login to the VM with local admin account and change the VM name/FQDN and keep it under maximum character limit; 1.e; 15 characters.
To address this, our engineering team will work on enhancement to enforce VM naming limits. Additionally, administrators will receive a clear notification if a hostname exceeds 15 characters, ensuring better control over the provisioning process.
Recommendation:
Determine the required number of virtual machines in the pool.
Set the naming convention accordingly to prevent exceeding the character limit.
Tip: Enable the "Auto Create on Delete" feature at the pool level. This ensures that when a VM is deleted, a new one is provisioned with the same name, preventing unintended naming issues.