Troubleshooting authentication failures with Active Directory users in vCenter Server
search cancel

Troubleshooting authentication failures with Active Directory users in vCenter Server

book

Article ID: 322366

calendar_today

Updated On: 06-09-2025

Products

VMware vCenter Server

Issue/Introduction

This article provides guidance when troubleshooting issues related to Active Directory authentication in vCenter Server. 

  • Authentication to vCenter with Active Directory credentials is slow or fails intermittently
  • vCenter - /var/log/vmware/messages contains many of the following errors:

    Failed to find user, group, or domain by name (name = '<AD_USER>', searched host = '<DOMAIN_CONTROLLER>') -> error = 40098, symbol = LW_ERROR_RPC_OPENPOLICY_FAILED

    Detected domain 'domain.example' offline. Some group information from this domain might be missing

    DNS lookup for '_ldap._tcp.dc._msdcs.domain.example' failed with errno 110 (Connection timed out)

  • vCenter - /var/log/vmware/messages contains many of the following errors during the incident:

    lwsmd: Restarting dead service: netlogon (attempt 1/2)

Environment

VMware vCenter Server

Cause

The root cause of failed Active Directory logins can come from several sources such as:
  • Excessive login attempts by another solution or external script
  • Poor performance of queries to Active Directory
  • vCenter Appliance is running low on resources
  • A known issue with netlogond crashes (fixed in vCenter Server 6.7 U3)
Note: Critical security hardening measures were introduced in vCenter Server 6.7 which affect Kerberos authentication performance.

Resolution

Use the following methods to determine the cause of AD Authentication issues.

Excessive Logins

Login attempts are typically recorded in log files or the system journal and will looks similar to the example below.

  • API Authentication:  vCenter - /var/log/vmware/sso/vmware-identity-sts.log
  • Web Client Authentication:  vCenter - /var/log/vmware/sso/websso.log

    [2020-03-18T17:20:02.958Z tomcat-http--11 vsphere.local        b9a75dd5-0ae6-4304-8dcf-885ac1a04bf2 INFO  com.vmware.identity.idm.server.IdentityManager] Authentication succeeded for user [USER@DOMAIN.EXAMPLE] in tenant [vsphere.local] in [131] milliseconds with provider [DOMAIN.EXAMPLE] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]
  • journalctl -b (/ then allows for searching for the offending username)

    Example: [error] [USER]  [ ]  [1409351611]  [Cannot login USER@##.###.###.##]

The log entry above shows several pieces of information about the authentication attempt.

  • Whether the authentication succeeded or failed
  • The username
  • How long the authentication attempt took
  • The domain the user belongs to

Defining an upper limit to these attempts is difficult because it depends on the latency between the likewise service on the VCSA and the domain controller responses. If there are several logins coming from a single source per minute, it indicates improper session use practices by that solution or product.

Excessive logins must be addressed at their source, usually with a patch or workaround.

Problems Communicating with Active Directory

Problems communicating with domain controllers from trusted or child domains is known to cause AD authentication problems. Failed queries to these domains can build up and cause likewise to eventually crash. The following errors are an indication that a trusted domain is not responding.

  • vCenter - /var/log/vmware/messages

    Detected domain 'domain.example' offline. Some group information from this domain might be missing

AD communication issues may also be related to DNS. vCenter requires forward and reverse resolution to work properly on all domain controllers it communicates with.

Even without excessive logins, it’s still possible for likewise to become overwhelmed when there is a high latency between vCenter and Active Directory. Highly latent environments will cause authentication requests to queue up in likewise and eventually fail.

vCenter Appliance is Running Low on Resources

If the vCenter Appliance is under-sized for its environmental load, it can cause authentication to fail among other issues.

Netlogond Crashes

The netlogon daemon is responsible for communication with the domain controllers. A known issue with netlogond crashes has been resolved in vCenter Server 6.7 Update 3.
When netlogond crashes and is restarted by the likewise service manager, it will print entries similar to below.

  • vCenter - /var/log/vmware/messages

    lwsmd: Restarting dead service: netlogon (attempt 1/2)
    lwsmd: Service died: netlogon (restarted 2 times in 12 seconds)

Workaround

Creating and utilizing an SSO domain service account can alleviate some of the performance impact for products or solutions that authenticate to vCenter with Active Directory credentials. See Managing vCenter Single Sign-On Users and Groups for more information

Configuring the vCenter Server to use AD over LDAPS as an identity source will also help alleviate issues pertaining to excessive logins and likewise related delays. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings for more information.