When an external Identity Source is configured, like Active Directory over LDAP, Active Directory logins can take a few minutes to log in if the proper ports are not open between the vCenter and the Domain Controllers.

In /var/log/vmware/sso/ssoAdminServer.log the following error outlines a connectivity issue to the domain controller

YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[127:pool-2-thread-20] [OpId=xxxxxxxxxx-xxx-xxx-xxxx-xxxxxxxxxxx] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://dc01.example.com, [email protected]]
YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[127:pool-2-thread-20] [OpId=xxxxxxxxxx-xxx-xxx-xxxx-xxxxxxxxxxx] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://dc01.example.com] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable

Ensure the LDAP port is allowed between the vCenter server and the Active Directory Domain Controllers.

The default LDAP ports are as follows:

• 389 - LDAP connecting to a Domain Controller
• 3268 - LDAP connecting to the Global Catalog server
• 636 - LDAPS connecting to a Domain Controller
• 3269 - LDAPS connecting to the Global Catalog server