Integrated Windows Authentication (IWA) was first deprecated with the release of vSphere 7.0. Broadcom has announced that IWA will be officially removed in the first major release after vSphere 8.0 Update 3 (vSphere 9.0). As a result, vCenter Server will no longer support joining an Active Directory domain via the IWA method, and users must transition to modern identity providers to maintain Active Directory authentication.

VMware vCenter Server: 7.x, 8.x, 9.x

The removal of IWA is part of a broader effort to modernize vCenter Server architecture and security. IWA relies on the Likewise software stack and legacy protocols (SMB/Kerberos), which introduced significant complexity and overhead for the vCenter Server Appliance (VCSA). By transitioning to federated identity and LDAPS, vSphere provides a more secure, scalable, and standardized authentication framework.

1. Supported Alternatives

• Active Directory over LDAPS: A direct replacement using LDAP with SSL (Port 636) or Global Catalog SSL (Port 3269).Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)
• Identity Federation: Integration with modern providers such as Okta, Microsoft Entra ID (Azure AD), PingFederate, or AD FS.Configuring vCenter Server Identity Provider Federation

2. Mandatory Upgrade Requirements for vSphere 9.x

To successfully upgrade to vCenter 9.0, the following actions are required:

• Leave Active Directory Domain: You must manually remove the VCSA from the Active Directory domain before starting the upgrade. Failure to do so will result in a pre-check error blocking the process."Leave the vCenter Server from Active Directory domain before proceeding" pre-check error message during VCF 9.0 upgrade
• Identity Source Migration: Configure the new identity source (LDAPS or Federation) prior to the upgrade to ensure a seamless transition for user permissions.

3. Technical Considerations

• Permission Retention: If the Domain Name and Alias are kept identical during the migration from IWA to LDAPS, existing permissions on vCenter objects will be preserved.Considerations when migrating a vCenter Identity Source from Integrated Windows Authentication to AD over LDAP / OpenLDAP
• Windows Session Credentials (SSPI): Support for "Use Windows session credentials" is removed. Users must manually enter their credentials at the login screen.
• ESXi Hosts: Active Directory authentication remains supported for ESXi hosts in vSphere 9.0 for host-level management, though IWA-specific features like SSPI will be removed in a future release.

For additional details, please refer to the  VMware vCenter Server 8.0 Update 3 Release Notes

IWA uses unsigned LDAP behind the scenes to allow searching users and groups, and this will stop working. This may impact the ability to add users & groups to authentication configurations.

Who Is Affected?
If you have configured vCenter Server to access Active Directory over LDAP with TLS (LDAPS) or Identity Federation you will not be affected by this. You can check this by viewing your Identity Sources in the vSphere Client

For steps concerning configuring LDAPS Identity Sources see Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

A large quantity of IWA related login issues can be resolved by removing & rejoin the domain as detailed in the following article:

"Invalid Credentials" error while logging into VC using AD credentials