VMCA 7.0 vSphere Authentication Proxy Fail

Hello All,

Recently deployed a fresh install of the latest VMCA, version 7.0.0-16749653 to be exact and I've been fighting to get the authentication proxy to join a host to an active directory domain far too long. I'm nearly out of options and pretty close to giving up, so if anyone could lend me a hand I would greatly appreciate it. I'm currently using what is considered the hybrid option regarding certificates and have only replaced the VMCA Machine SSL and included my enterprise root and sub CA, the 1 host I'm currently testing with is using certificates signed by vmca. I will start by listing the tasks I've completed to get the auth proxy setup to prepare for AD joins.

1. From appliance management, I went to Services >>  Selected 'VMware vSphere Authentication Proxy' service and manually started
2. I then enabled SSH Access on the VMCA and logged in >> enable client auth using the command '/usr/lib/vmware-vmcam/bin/camconfig ssl-cliAuth -e'
3. Next, added domain and service account to VMCA using the following command '/usr/lib/vmware-vmcam/bin/camconfig add-domain -d corp.domain.com -u svc_vmware' and entered password when prompted
4. I then followed the vsphere 7.0 security guide for generating a new certificate for vsphere auth proxy (https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-70-security-guide.pdf pg 106)
5. I uploaded the newly generated rui.crt to the datastore of the host I was intending on joining
6. I then changed the 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' advanced system setting on the host I was intending on joining to match the AD group I created for Admins
7. Finally, I imported the previously mention rui.crt under the host's 'Authentication Services' tab using the 'Import Certificate' button and pointed it to the directory I uploaded it on the datastore using '[datastore]/vmcam/rui.crt' and filled in the ip address of the vmca auth proxy service
8. I forgot to mention, I ran into an issue due to our domain's hardening that was solved by forcing vmca to only send auth requests to ad using ntlmv2
9. So, I used the following settings for the join domain attempt  domain: corp.domain.com/domain/sites/chi3/servers and with 'using proxy server' selected the ip address of the vmca auth proxy service

Just to note, the Active Directory service account I created as a user for the join was given delegate control using the following the steps outline in the microsoft kb https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con

I have also tried making different adjustments using the camconfig and camregister scripts, but receive the same results. Here is the current output for 'camconfig status':

          Default Domain Name: corp.domain.com

          Default Domain User: svc_vmware

          vCenter Server Address: 172.31.2.60

          vCenter Server User: Administrator@vsphere.local

          vCenter Server Port: 80

          SSL Settings:

                   Certificate File: /var/lib/vmware/vmcam/ssl/certs/rui.crt

                   Private Key File: /var/lib/vmware/vmcam/ssl/certs/rui.key

                   Client Authentication: Enabled.

          Success.

I receive the following errors

          VMCA Tasks 'The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service.'

          VMCA /var/log/vmware/vmcamd/vmcamd-syslog.log:

                  2020-09-13T18:36:36.645515-05:00 info vmcamd  t@140698414208768: Creating machine account for Host 'host1.corp.domain.com', OU 'domain/Sites/chi3/servers'

                    2020-09-13T18:36:36.978725-05:00 info vmcamd  t@140698414208768: VmCamLdapMoveAccFromDomainBaseDn failed. (50)(Insufficient access)

                    2020-09-13T18:36:36.978903-05:00 notice vmcamd  t@140698414208768: [../../../server/vmcam/api.c,742]

                    2020-09-13T18:36:36.978996-05:00 info vmcamd  t@140698414208768: VmCamSrvCreateMachineAccount failed. (50)

                    2020-09-13T18:36:36.979082-05:00 notice vmcamd  t@140698414208768: [../../../server/vmcam/httpserv.c,231]

                    2020-09-13T18:36:36.979133-05:00 info vmcamd  t@140698414208768: VmCam HTTPS request Handler failed with 50

                    From the same log file, not sure if this is relevant to the issue, but I also see the following error upon restarting the vmcam service

                    2020-09-13T16:41:59.227138-05:00 info vmcamd  t@140698934294272: Exceptions in CAMAdapterMainLoop: Crypto Exception: error:02001002:system library:fopen:No such file or                     directory: unable to load BIO

                    I've also tried joining the machine without specifying the location of the OU and receive the following from vmcamd-syslog.log

                    2020-09-13T18:43:21.933127-05:00 info vmcamd: Creating machine account for Host 'host1.corp.domain.com'', OU ''

                    2020-09-13T18:43:22.283499-05:00 notice vmcamd: [../../../server/vmcam/api.c,810]

                    2020-09-13T18:43:22.283650-05:00 info vmcamd: VmCamSrvCreateMachineAccount failed. (5)

                    2020-09-13T18:43:22.283954-05:00 notice vmcamd: [../../../server/vmcam/httpserv.c,231]

                    2020-09-13T18:43:22.284037-05:00 info vmcamd: VmCam HTTPS request Handler failed with 5

          VMCA /var/log/vmware/vpxd/vpxd.log:

                    2020-09-13T18:43:21.892-05:00 info vpxd[53087] [Originator@6876 sub=vpxLro opID=kauto] [VpxLRO] -- BEGIN task-3066 --                          activeDirectoryAuthentication-1021 --                          vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM --

                   2020-09-13T18:43:22.296-05:00 info vpxd[53087] [Originator@6876 sub=vpxLro opID=kf178jvj-6875-auto-5b0-h5:70003448-64] [VpxLRO] -- FINISH task-3066

                   2020-09-13T18:43:22.296-05:00 info vpxd[53087] [Originator@6876 sub=Default opID=kf178jvj-6875-auto-5b0-h5:70003448-64] [VpxLRO] -- ERROR task-3066 --                          activeDirectoryAuthentication-1021 -- vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM: vim.fault.CAMServerRefusedConnection:

                   --> Result:

                   --> (vim.fault.CAMServerRefusedConnection) {

                   -->    faultCause = (vmodl.MethodFault) null,

                   -->    faultMessage = <unset>,

                   -->    errorCode = 1225,

                   -->    camServer = "172.31.2.60"

                   -->    msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."

                   --> }

                   --> Args:

                   -->

                   --> Arg domainName:

                   --> "corp.domain.com"

                   --> Arg camServer:

                   --> "172.31.2.60"

I apologize for the long-winded post, but I figured I would receive better responses if I provided in-depth detail. Anyways, any and all insight thoughts, suggestions, and options welcome and appreciated, as I would love to move past this as soon as possible.

Thanks in Advance,

James