In vCenter 9.0, authentication to non-federated identity providers (e.g. AD over LDAP) is blocked when a federated identity provider (e.g. ADFS) exists.

The following will be seen in /var/log/vmware/sso/vmware-identity-sts.log or /var/log/vmware/sso/websso.log

[YYYY-MM_DD] INFO sts[42:tomcat-http--1] [CorId=0b86e848-116e-####-b4ae-4a3fbe0ddb5d] [com.vmware.identity.idm.server.IdentityManager] User [email protected] attempting to login via unsupported domain provider example.com type com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider on federated tenant vsphere.local.  This is not supported.
[YYYY-MM_DD] ERROR sts[42:tomcat-http--1] [CorId=0b86e848-116e-####-b4ae-4a3fbe0ddb5d] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [[email protected]] for tenant [vsphere.local]"

vCenter 9.0 with a federated identity provider and a legacy provider handling a different domain.

Authenticating with credentials for a legacy identity provider while vCenter is also configured to use a federated provider in a different domain will fail.

With vCenter Server 9.0, product design changes have made the legacy identity source unsupported; it should be deleted using sso-config. Reverting to the legacy authentication provider is no longer possible, as only the federated provider is now supported.

Delete the legacy identity source with sso-config, take a vCenter server snapshot before proceeding. 

1. SSH to the vCenter Appliance virtual machine and login as root, 
2. List the configured identity sources. 
   
   sso-config.sh -get_identity_sources
3. Delete the legacy identity source.
   
   sso-config.sh -delete_identity_source -i <identity source name here>