• While configuring Identity source with Active Directory over LDAP on the vCenter Appliance using the vSphere Client, throws the below error:
  
  "Cannot configure identity source due to Failed to probe provider connectivity [URI:ldaps://<LDAP Server FQDN/IP>:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###] Caused by: Can't contact LDAP server"

• In /var/log/vmware/sso/ssoAdminServer.log:
  

  YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[103:pool-2-thread-2] [OpId=####-####-####-####] [com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Failed to probe provider connectivity [URI: ldap://< primary <secondary LDAP server FQDN/IP >:636 ldap:// <secondary LDAP server FQDN/IP >:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###]
  at com.vmware.identity.idm.server.IdentityManager.probeProviderConnectivity(IdentityManager.java:2979) ~[vmware-identity-idm-server-7.0.0.jar:?]
  at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:2646) ~[vmware-identity-idm-server-7.0.0.jar:?]
  at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:10005) ~[vmware-identity-idm-server-7.0.0.jar:?]
  at com.vmware.identity.idm.client.CasIdmClient.setProvider(CasIdmClient.java:944) ~[vmware-identity-idm-client-7.0.0.jar:?]
  at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.updateLdapAuthnType(IdentitySourceManagementImpl.java:601) [sso-adminserver-7.0.0.jar:?]
  at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:334) [sso-adminserver-7.0.0.jar:?]

• While running openssl s_client -connect <LDAP server FQDN/IP>:636 -showcerts confirms the port connectivity but AD certificates are not returned.
  

  CONNECTED (00000003)

  write:errno=104
  no peer certificate available
  No client certificate CA names sent
  -
  SSL handshake has read 0 bytes and written 285 bytes
  Verification: OK
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  Early data was not sent
  Verify return code: 0 (ok)

vCenter Server - 7.0.x
vCenter Server - 8.0.x

• This issue occurs when issuing AD certificates has incorrect SAN name.
• An incorrect certificate chain can also trigger a similar error.
• Certificate replaced on AD server.

• Scenario 1 - Incorrect SAN name
  • Regenerate the AD server certificates and modify the SAN with correct name.
  • Configure the Identity source with Active Directory over LDAP with the new set of certificates by referring the following KB - Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

• Scenario 2 - Incorrect certificate chain :Retrieve Certificates from Each DC

• • Use OpenSSL to extract the certificate chain from each domain controller:
  • openssl s_client -connect <DC1_FQDN>:636 -showcerts > dc1_cert_chain.cer
    openssl s_client -connect <DC2_FQDN>:636 -showcerts > dc2_cert_chain.cer
  • Copy each certificate block (-----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----)
  • Paste them in the following order: server certificate → intermediate → root.
  • Repeat for both DCs.
  • Navigate to: Administration > Single Sign-On > Configuration > Identity Sources.
  • Add a new Active Directory over LDAP (LDAPS) identity source
  • Upload both dc1_chain.cer and dc2_chain.cer.
  • After configuration, Test connectivity and authentication.
  • Ensure vCenter can reach both DCs and validate the certificate chain.
  • Once these steps are completed, the identity source should be configured successfully.