Attempting to login to vIDM with Active Directory users fails with "Error Call to Directory Service Failed"
search cancel

Attempting to login to vIDM with Active Directory users fails with "Error Call to Directory Service Failed"

book

Article ID: 369607

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • Unable to log in to applications such as  Aria Automation, NSX, Aria Operations, etc. with Active Directory users
  • Login screen prompts 'ERROR call to Directory Service Failed".
  • The local vIDM admin account(s) can still successfully authenticate to vIDM.
  • Test Connection to AD fails from vIDM.
  • Directory Sync fails with Error 'Response from connector: Failed to complete dry run'
  • /opt/vmware/horizon/workspace/logs/connector-dir-sync.log will report following error:
    Caused by: com.vmware.horizon.directory.DirectoryServiceException: Problem connecting to directory.
    ..
    Caused by: com.vmware.horizon.directory.ldap.exceptions.DirectoryConnectionException: Could not connect to the Domain Controller.
    ..
    Caused by: javax.naming.CommunicationException: simple bind failed: ####.####.####.####:####
    ..
    Caused by: javax.net.ssl.SSLHandshakeException
    ..
    Caused by: java.security.cert.CertificateException
    
    or
    com.vmware.horizon.directory.ldap.dc.service.DirectoryConnectService - AD connection failed for <domain-controller>:<port>
    com.vmware.horizon.directory.ldap.exceptions.DirectoryConnectionException: Could not connect to the Domain Controller.
    ..
    Caused by: javax.naming.CommunicationException: <domain-controller>:<port>
            at com.sun.jndi.ldap.Connection.<init>(Connection.java:233) ~[?:1.8.0_292]
    ..
    Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
            at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_292]

Environment

VMware Identity Manager 3.3.x

Cause

The issue can occur due to various reasons:
- Recent changes in AD certificates
- Change in bind user credentials or expired bind user password.
- Incorrect Base DN used for AD integration.
- Network isolations of Active Directory Domain Controller servers

Resolution

  1. On Identity & Access Management > Directories in vIDM Administration Console, select the directory and validate Base DN , Bind DN and Bind user credentials and save the configuration.
  2. Test connectivity to Active Directory Domain Controllers from vIDM appliance using tools such as openssl / telnet. If the connection test fails, contact the local network team to troubleshoot. The below command can be used to check the connectivity to domain controller from vIDM:
    curl -v telnet://<domain-controller-ip>:<domain-controller-port>
    Depending upon the configuration, the domain-controller port can be any of the below :
    Standard LDAP : 389
    LDAPS : 636
    Global Catalog (LDAP) : 3268
    Global Catalog (LDAPS) : 3269
  3. If connector-dir-sync.log contains the message Could not connect to the Domain Controller followed by javax.net.ssl.SSLHandshakeException , update the Active Directory root certificate in vIDM by following the KB 388265 .