Cannot login to vCenter server using AD credentials
search cancel

Cannot login to vCenter server using AD credentials

book

Article ID: 374200

calendar_today

Updated On: 12-30-2024

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

We are getting "Invalid credentials" when we try to login to the vCenter server using AD credentials, Although we can login using Administrator@vsphere.local user.

Environment

vCenter server 7.0 

vCenter server 8.0 

Cause

The certificates are expired on the vCenter server for the Microsoft domain. Upon checking the websso.log we see the following error. 

# Cannot bind the domain URL 


YYYY-MM-DDThh:mm:ssZ WARN websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://xxxx-xxxxx:636, xxxxxxx@abc.cn]
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://xyz.cn:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Certificate expired at [MM DD hh:mm:ss GMT YYYY ]

The Active Directory (AD) certificate expired on the date noted in the logs. To proceed, upload the updated certificate to the vCenter Server while configuring the identity provider using the primary and secondary URLs.

Resolution

We can fetch the certificate for the specific domain from the vCenter server using the following command. 

openssl s_client -connect <domain FQDN:636/383>

Else you can ask the end user to get the entire chain of certificate from Microsoft and upload it on the vCenter server ---> Administration ----> Users and Groups ----> Configuration ---> Identity Provider  ---> Select the domain and upload the certificate.

Powered by Wolken Software