Single Sign-On fails to authenticate users and returns LDAP error: ReferralLdapException
search cancel

Single Sign-On fails to authenticate users and returns LDAP error: ReferralLdapException

book

Article ID: 344042

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Users who are a part of group which is in a different domain than the principal user cannot sign in
  • In the vmware-sts-idmd.log file, you see entries similar to:

    <YYYY-MM-DD>T<time>,843 WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 10
    <YYYY-MM-DD>T<time></time>,844 ERROR [LinuxLdapClientLibrary] Exception when calling ldap_search_s: base=CN=<customers base dn>, scope=0, filter=(objectClass=group), attrs=[Ljava.lang.String;@463c5a19, attrsonly=0
    com.vmware.identity.interop.ldap.ReferralLdapException: Referral LDAP error [code: 10]
    ...
    <YYYY-MM-DD>T<time></time>,846 ERROR [IdentityManager] Failed to get attributes for principal [[email protected]] in tenant [vsphere.local]
    <YYYY-MM-DD>T<time></time>,846 ERROR [ServerUtils] Exception 'com.vmware.identity.interop.ldap.ReferralLdapException: Referral
    LDAP error [code: 10]'
    com.vmware.identity.interop.ldap.ReferralLdapException: Referral
    LDAP error [code: 10]</time>

  • Single Sign-On is configured with an Identity Source using Active Directory as an LDAP Server
  • The authenticating user is a member of at least one group which is part of a different domain than the one the user is based in

Environment

VMware vCenter Server Appliance 5.5.x
VMware vCenter Server 5.5.x

Cause

When a requested object exists in an LDAP directory but is not present on the contacted domain controller, that domain controller returns a redirecting referral. The referred domain controller is expected to have the information which was originally requested. vCenter Single Sign-On does not follow referral requests at this time .This type of behavior results in the error described above and the authentication fails.

Resolution

To resolve this issue, use one of these options :

  • Configure the Single Sign-On Identity Source to use Active Directory (Integrated Windows Authentication) instead of Active Directory as an LDAP Server. This allows Single Sign-On to communicate directly with the Active Directory Primary Domain Controller (PDC) to authenticate all necessary users.
  • Change the Identity Source to communicate with a Global Catalog Domain Controller, which contains all authenticating user objects. This requires changing the Identity Source Server URL to point to the Global Catalog port (3268 or 3269 for SSL) on an appropriately configured domain controller.
Powered by Wolken Software