Symptoms:

• Upon joining a vRealize Automation appliance to a domain (which is different from the virtual appliances domain name in FQDN), creating and configuring an Active Directory over Integrated Windows Authentication (AD over IWA), when configuring Kerberos, authentication fails
• Logging in user is not automatically logged into portal when accessing tenant portal login page.  The user is requested to enter a password.
• Similar error messages can be found within /var/log/vmware/horion/connector.log:

• Connectors may be missing from tenant portal Directories Management > Connectors page
   

VMware vRealize Automation 7.x

This issue is caused by Disjointed Namespaces.

Currently there is no resolution for this issue.  This issue can impact all versions of vRealize Automation 7.x with embedded VMware Identity Manager.  See the workaround below for further information.

Workaround:
When initially creating an AD over IWA directory, the connector is initialized and joined to the corresponding domain.  If this is performed before a system name change of the FQDN of the vRA appliance, the connector will now mismatch and generate failures.  The FQDN must be changed back to the original hostname.

If Disjointed Namespaces must be used, it is required to deploy External connectors without Disjointed Namespaces (connector hostname will match Active Directory domain realm) to prevent Kerberos failures for logging in users.

• https://docs.vmware.com/en/VMware-Identity-Manager/services/vidm-dir-integration/GUID-0D2293FD-7634-40DD-A7ED-8F72401A3939.html
• https://docs.vmware.com/en/VMware-Identity-Manager/services/vidm-dir-integration/GUID-D1EDAE90-FAC5-45E4-8BA4-41AEC29346D2.html