Symptoms:

• Logging into the vCenter Server with domain credentials fails with an 'Invalid credentials' error, but local authentication using [email protected] works successfully.

• The following error occurs when logging into vCenter as [email protected] and navigating to Menu > Administration > Users and Groups: "A vCenter Single Sign-On service occurred."

• Below error message is observed in /var/log/vmware/sso/websso.log:

YYYY-MM-DDThh:mm:ssZ WARN websso[83:tomcat-http--45] [CorId=########-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://DC_name:636, #######@example.com]
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=########-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://DC_name:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=########-####-####-####-############] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=########-####-####-####-############ [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Certificate expired at [MM DD hh:mm:ss GMT YYYY ]

The vCenter Single Sign-On (SSO) service caches the SSL certificate from the LDAPS Identity Provider to establish a secure trust. If the machine certificate on the Domain Controller (DC) expires or is renewed without updating the configuration in vCenter, a trust mismatch occurs. The SSO service is unable to validate the connection to the LDAPS server, resulting in authentication failures for all AD-integrated accounts.

Verification Steps:

The validity of the currently used certificate can be verified using either of the below commands via the VCSA command line:

1. Check the validity of the certificate and verify the identity source configuration:

   /opt/vmware/bin/sso-config.sh -get_identity_sources

2. Test the connection and view the certificate presented by the Domain Controller:

   openssl s_client -connect <domain_controller_fqdn>:636 -showcerts

Remediation Steps:

To resolve the issue, remove the existing identity provider configuration and re-create it using the new certificate chain.

1. Take a snapshot of the VCSA VM before making any changes.

   • If the vCenter is part of a Linked Mode replication setup, please backup/snapshot all replicating nodes as well. Please refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

   • If in a Linked Mode setup, perform these steps on only one vCenter server. The identity provider configuration will automatically replicate to the other linked nodes.

2. Take note of the existing identity provider configuration details, as they will be required during the recreation process.

3. Remove the existing identity provider configuration and re-create it using the new certificate chain: Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS).

NOTE: Make sure the certificate file being used is a valid ".cer" or ".crt". File format ".p7b" is not valid for this use.