Symptoms

• When attempting to add an Active directory over ldap identity source, the following error message is encountered:

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldap://domain.com]; tenantName [vsphere.local], userName [domain.com\user] Caused by: Can't contact LDAP server."

• In the var/log/vmware/sso/ssoAdminServer.log, you may find entries similar to:

ERROR ssoAdminServer[100:pool-2-thread-7] [OpId=] [com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] A bad packet was received from a DNS server. Potentially the requested address [domain.com] does not exist.
com.vmware.identity.admin.server.ims.ServerConfigurationException: A bad packet was received from a DNS server. Potentially the requested address [domain.com] does not exist.

ERROR ssoAdminServer[98:pool-2-thread-5] [OpId=] [com.vmware.identity.idm.server.IdentityManager] VmAfClientNativeException occurred
com.vmware.af.VmAfClientNativeException: AFD Native Error Occured: 11

• This issue occurs due to a  DNS resolution problem to the domain name. DNS lookup is required for proper connectivity with the identity provider.

• To resolve this issue, verify the external DNS servers configured on the vCenter are able to resolve the forward and reverse DNS lookup of the domain name

Verifying DNS Resolutions:

Verify Forward DNS Resolution:

• Open a SSH session on the vCenter.
• Run the following command to check if the domain name resolves to Domain Controller IP address:

nslookup domain.com

• Ensure the DNS server returns the correct IP address.

Verify Reverse DNS Resolution:

• Use the nslookup command to check the reverse DNS resolution for the corresponding IP address:

nslookup <IP_ADDRESS>

• Confirm that the lookup correctly resolves back to the domain name.