Failed to probe provider connectivity: " Caused by: Can't contact LDAP server " error while configuring Active Directory LDAP
Article ID: 394249
Updated On:
Products
Issue/Introduction
- While configuring Identity source with Active Directory over LDAP on the vCenter Appliance using the vSphere Client, throws the below error:
"Cannot configure identity source due to Failed to probe provider connectivity [URI:ldaps://<LDAP Server FQDN/IP>:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###] Caused by: Can't contact LDAP server"
- In /var/log/vmware/sso/ssoAdminServer.log:
YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[103:pool-2-thread-2] [OpId=####-####-####-####] [com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Failed to probe provider connectivity [URI: ldap://< primary <secondary LDAP server FQDN/IP >:636 ldap:// <secondary LDAP server FQDN/IP >:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###]
at com.vmware.identity.idm.server.IdentityManager.probeProviderConnectivity(IdentityManager.java:2979) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:2646) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:10005) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.client.CasIdmClient.setProvider(CasIdmClient.java:944) ~[vmware-identity-idm-client-7.0.0.jar:?]
at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.updateLdapAuthnType(IdentitySourceManagementImpl.java:601) [sso-adminserver-7.0.0.jar:?]
at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:334) [sso-adminserver-7.0.0.jar:?]
- While running openssl s_client -connect <LDAP server FQDN/IP>:636 -showcerts confirms the port connectivity but AD certificates are not returned.
CONNECTED (00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
-
SSL handshake has read 0 bytes and written 285 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Environment
vCenter Server - 7.0.x
vCenter Server - 8.0.x
Cause
- This issue occurs when issuing AD certificates has incorrect SAN name.
- An incorrect certificate chain can also trigger a similar error.
Resolution
- Scenario 1 - Incorrect SAN name
- Regenerate the AD server certificates and modify the SAN with correct name.
- Configure the Identity source with Active Directory over LDAP with the new set of certificates by referring the following KB - Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)
- Scenario 2 - Incorrect certificate chain
Retrieve Certificates from Each DC
-
- Use OpenSSL to extract the certificate chain from each domain controller:
- openssl s_client -connect <DC1_FQDN>:636 -showcerts > dc1_cert_chain.cer
openssl s_client -connect <DC2_FQDN>:636 -showcerts > dc2_cert_chain.cer - Copy each certificate block (-----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----)
- Paste them in the following order: server certificate → intermediate → root.
- Repeat for both DCs.
- Navigate to: Administration > Single Sign-On > Configuration > Identity Sources.
- Add a new Active Directory over LDAP (LDAPS) identity source
- Upload both dc1_chain.cer and dc2_chain.cer.
- After configuration, Test connectivity and authentication.
- Ensure vCenter can reach both DCs and validate the certificate chain.
- Once these steps are completed, the identity source should be configured successfully.
Feedback
