Unable to log in to the vCenter server using AD credentials.
search cancel

Unable to log in to the vCenter server using AD credentials.

book

Article ID: 374200

calendar_today

Updated On: 07-09-2025

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

Symptoms -

  • We are encountering an "Invalid credentials" error when attempting to log in to the vCenter server using AD credentials, despite being able to log in successfully with the Administrator@vsphere.local user.

Environment

  • VMware vCenter Server 7.0 
  • VMware vCenter Server 8.0 

Cause

  • The certificates for the Microsoft domain on the vCenter server has expired. Upon reviewing the websso.log, we encountered the following error - 

Cannot bind the domain URL 

  • The websso.log entries display the following
    YYYY-MM-DDThh:mm:ssZ WARN websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff15xxxxxx] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://xxxx-xxxxx:636, xxxxxxx@example.com]
    YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff15xxxxx] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://example.com:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
    YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff15xxxxx] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]
    YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1xxxxxx [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Certificate expired at [MM DD hh:mm:ss GMT YYYY ]
  • /var/log/vmware/sso
    YYYY-MM-DDThh:mm:ssZ WARN websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff15xxxxxx] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://xxxx-xxxxx:636, xxxxxxx@example.com]
    YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff15xxxxx] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://example.com:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
    YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff15xxxxx] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]
    YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1xxxxxx [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Certificate expired at [MM DD hh:mm:ss GMT YYYY ]
  • The Active Directory (AD) certificate expired on the date indicated in the logs.

Resolution

  • Delete the existing configuration of Identity provider for LDAPS. 
    •   Home menu → select Administration → Under Single Sign-On  → click Configuration → Select Identity source→ Delete.
  • The certificate for the specific domain can be retrieved from the vCenter server using the following command -
    • openssl s_client -connect <domain FQDN:636/3269>
  • This update corrects the port number to ensure the proper port for either LDAP over SSL (636) or Global Catalog (3269) is used, depending on your environment's configuration.
  • Add the identity provider again on the vCenter server, Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)