In the Users and Groups panel, enter user and group information for the Active Directory over LDAP connection to search for users and groups.
Option Description
Base distinguished name for users Base Distinguished Name for users.
Base distinguished name for groups The base Distinguished Name for groups.
vCenter logs an error in /var/log/vmware/sso/ssoAdminServer.log,
2025-05-25T11:23.30.125Z ERROR ssoAdminServer[109:pool-2-thread-4] [OpId=######] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl]
Invalid principal: CN=SOMECN,DC=MYDOMAIN,DC=MYCOM
com.vmware.identity.admin.server.ims.PrincipalManagementException: Invalid principal:CN=SOMECN,DC=MYDOMAIN,DC=MYCOM
at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.logAndThrow(PrincipalManagementImpl.java:2731) ~[libsso-adminserver.jar:?]
at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.findPersonUsers(PrincipalManagementImpl.java:341) ~[libsso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl$8.call(PrincipalDiscoveryServiceImpl.java:311) ~[libsso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl$8.call(PrincipalDiscoveryServiceImpl.java:296) ~[libsso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:186) [libsso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl.findPersonUsers(PrincipalDiscoveryServiceImpl.java:296) [libsso-adminserver.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_412]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_412]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_412]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_412]
at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:86) [vlsi-server-8.0.3.0-14373555-alpha.jar:?]
at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server-8.0.3.0-14373555-alpha.jar:?]
at com.vmware.vim.vmomi.core.tracing.NoopTracer$NoopSpan.runWithinSpanContext(NoopTracer.java:120) [vlsi-core-8.0.3.0-14373555-alpha.jar:?]
at com.vmware.vim.vmomi.server.common.impl.TracingRunnableWrapper.run(TracingRunnableWrapper.java:62) [vlsi-server-8.0.3.0-14373555-alpha.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_412]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_412]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_412]
Caused by: com.vmware.vim.sso.admin.exception.InvalidPrincipalException: The specified principal (CN=SOMECN,DC=MYDOMAIN,DC=MYCOM) is invalid.
vCenter 7.x
vCenter 8.x
There is a mismatch on the User and Group DN (Distinguished Names provided). A CN was used for an OU.
For CNs use,
CN=SOMECN,DC=MYDOMAIN,DC=MYCOM
For OUs use,
OU=SOMECN,DC=MYDOMAIN,DC=MYCOM
Note, Check with your Active Directory Administrator to determine the Type of the DN.
"vCenter Server derives the AD domain to use for authorization and permissions from the Base Distinguished Name for users. You can add permissions on vSphere objects only for users and groups from this AD domain. Users or groups from AD child domains or other domains in the AD forest are not supported by vCenter Server Identity Provider Federation."
Ldap queries fail when using the wrong DN (distinguished name) to search from. i.e. CN= vs OU=
CN commonName
OU organizationalUnitName