This event is logged on a Windows Domain Controller when vCenter is configured to use AD-over-LDAP and authenticates to it.

Symptoms: 

One or more domain users are creating a lot of logons with (Windows Event 4624). The domain user is used for AD over LDAP external identity source.

Identity Source in vCenter Single Sign-On (SSO) uses a secured LDAP/LDAPS over SSL (LDAPS) connection.

vCenter Server 6.7.x

vCenter Server 7.0.x

vCenter Server 8.0.x

This occurs when vCenteruses AD-over-LDAP authentication and logon audit logging is enabled on the Active Directory server.

To understand more on Windows Event 4624, Microsoft has published an article: Windows Event 4624

This is an expected behavior.

This is a nature of AD over LDAPS identity source. The vCenter is integrated with AD using basic LDAP protocol and not domain joined to AD using kerberos.

All LDAP operations to external identity source in vCenter are atomic and there is no session reuse. This means, that any operation in vCenter that would require communicating with AD (for example, permission check, issuing token, etc..) will initiate a new connection / session into AD using AD-over-LDAPS identity source, and would generate Windows Event 4624

If you want to view user login without the noise of vCenter logins, the steps below can be followed:

To view a list of all user logins excluding the VC LDAP connection account, do the following:

1.  Start Event Viewer
2.  Right-click Custom Views and select Create Custom View
3.  Select By Log
4.  Click the Event logs drop-down, expand Windows Logs, then check Security
5.  Click the XML tab.
6.  At the bottom, check the Edit query manually box and click Yes on the confirmation dialog.
7.  Click OK.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[
System[(EventID=4624)]
and
EventData[Data[@Name='TargetUserName']!='exampleUserAccountNameOnly']]</Select>
  </Query>
</QueryList>

To view a list of only the logins for the VC LDAP connection account, do the following:
1.  Start Event Viewer
2.  Right-click Custom Views and select Create Custom View
3.  Select By Log
4.  Click the Event logs drop-down, expand Windows Logs, then check Security
5.  Click the XML tab.
6.  At the bottom, check the Edit query manually box and click Yes on the confirmation dialog.
7.  Click OK.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[
System[(EventID=4624)]
and
EventData[Data[@Name='TargetUserName']='exampleUserAccountNameOnly']]</Select>
  </Query>
</QueryList>

Windows Event 4624 is not enabled by default in Windows Server. The sysadmin needs to explicitly enable this event. Thus, AD servers are not expected to be flooded with this event in the event logs unless a user explicitly enables it. For questions or concerns regarding this setting, please contact Microsoft Support.