Unable to log in to the vCenter server using AD credentials.
search cancel

Unable to log in to the vCenter server using AD credentials.

book

Article ID: 374200

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

Symptoms -

  • We are encountering an "Invalid credentials" error when attempting to log in to the vCenter server using AD credentials, despite being able to log in successfully with the [email protected] user.

Environment

  • VMware vCenter Server 7.0 
  • VMware vCenter Server 8.0 

Cause

  • The certificates for the Microsoft domain on the vCenter server have expired. Upon reviewing the websso.log, we encountered the following error - 

Cannot bind the domain URL 

  • The websso.log entries display the following

YYYY-MM-DDThh:mm:ssZ WARN websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://xxxx-xxxxx:636, [email protected]]
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://example.com:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]
YYYY-MM-DDThh:mm:ssZ ERROR websso[83:tomcat-http--45] [CorId=c7b29996-d8f9-4216-9709-f9ff1588e77c [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Certificate expired at [MM DD hh:mm:ss GMT YYYY ]

  • The Active Directory (AD) certificate expired on the date indicated in the logs.
  • To address this, please upload the updated certificate to the vCenter Server while configuring the identity provider, using both the primary and secondary URLs.

Resolution

  • The certificate for the specific domain can be retrieved from the vCenter server using the following command -
    • openssl s_client -connect <domain FQDN:636/3269>
  • This update corrects the port number to ensure the proper port for either LDAP over SSL (636) or Global Catalog (3269) is used, depending on your environment's configuration.
  • Alternatively, you can request the end user to obtain the full certificate chain from Microsoft and upload it to the vCenter server. This can be done by navigating to:
    • Administration → Users and Groups → Configuration → Identity Provider → Select the domain and upload the certificate.
Powered by Wolken Software