• Attempts to login to vCenter Server or Single Sign-On fail for all Active Directory domain users when the Active Directory services are down for any one of the Active Directory domains configured in Single Sign-On. An error message similar to this is displayed:

• You can identify the malfunctioning Active Directory controller by reviewing the imsTrace.log file. This is by default, located in the c:\Program Files\VMware\Infrastructure\SSOServer\logs folder. In the log file look for the following line:

This issue occurs because Single Sign-On tokens contain the complete list of groups of the user at the time the token is issued. The vCenter Security subsystem specifically allows assigning permissions on multiple levels in the vCenter hierarchy, whereby a group of users might have less permissions on an inventory object as compared to the permissions on the parent inventory object. When such permissions are assigned to a group when there is a malfunctioning identity source, not having the list of groups from this domain might allow for unauthorized access. Logon is therefore prevented if any identity source is down.

To work around this issue:

1. Log in to the vSphere Web Client as an SSO Administrator. By default, this is admin@system-Domain.
2. Click Administration > Sign-On and Discovery > Configuration > Identity Sources.
3. From the list of identity sources, remove the identity source whose services are unavailable.
4. Users from rest of the domains are able to log in to vCenter Server and vCenter Single Sign On.

Note:You need to manually add the domain when it is available again.

By performing this action, users and groups from the removed identity source may be removed. To ensure that permissions for users and groups from the removed identity source are not removed by the daily permission validation check:

1. Navigate to vCenter Server in the Web Client.
2. Click Manage > Settings > General.
3. Click Edit.
4. Click User Directory.
5. Uncheck Enable Validation.
6. Click OK.