vCenter server 7.0 

vCenter server 8.0 

The certificates are expired on the vCenter server for the Microsoft domain. Upon checking the websso.log we see the following error. 

////// Cannot bind thE domain URL 

2024-08-05T17:31:36.949Z WARN websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://xxxx-xxxxx:636, xxxxxxx@abc.cn]

2024-08-05T17:31:36.949Z ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://xyz.cn:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
2024-08-05T17:31:36.949Z ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapExc
eption: Can't contact LDAP server\nLDAP error [code: -1]

2024-08-05T17:31:36.953Z ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Certificate expired at [Wed Jul 17 14:32:54 GMT 2024

 Certificate for the AD got expired on July 17th, we need the latest certificate to be uploaded on the vCenter server while configuring identity provider using the primary and secondary URLs.

>> We can fetch the certificate for the specific domain from the vCenter server using the following command. 

openssl s_client -connect <domain FQDN:636/383>

>> Else you can ask the end user to get the entire chain of certificate from Microsoft and upload it on the vCenter server ----------> Administration -------------> Users and goup ----------------> configuration ------------> Identity Provider --------------> Select the domain and upload the certificate.