Active Directory (AD) Users Unable to Log In to vCenter Server Due to Invalid LDAP Bind Credentials
search cancel

Active Directory (AD) Users Unable to Log In to vCenter Server Due to Invalid LDAP Bind Credentials

book

Article ID: 401985

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • AD users fail to log in to the vSphere Client.
  • The vCenter Server is integrated with Active Directory over LDAP or LDAPS.
  • The following errors may be observed in the logs: /var/log/vmware/likewise/Likewise.log
    ERROR lwio: [0x#####] GSS-API error calling gss_init_sec_context: ##### (<null>)
ERROR lwio: [0x#####] GSS-API error calling gss_init_sec_context: ##### (<null>)
ERROR lwio: [0x#####] GSS-API error calling gss_init_sec_context: ##### (<null>)

    Note : For vCenter 7.X this location can be configured to default or different locations.
  • For vCenter 8.X the path is fixed.
  • /var/log/vmware/sso/vmware-identity-sts.log
    [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 49
[com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldap://#####.com, #####.#####@#####.com] 
[com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://#####.com] because [Invalid credentials] therefore will not attempt to use any secondary URIs
[com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider] Failed to retrieve upnSuffixes in AD over LDAP provider '#####.com' com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials
  • /var/log/vmware/sso/websso.log
     {\"user\":\"#####\",\"client\":\"##.##.##.##\",\"timestamp\":\"##/##/#### ##:##:## GMT\",\"description\":\"User #####@##.##.##.## failed to log in with response code 401\",\"eventSeverity\":\"INFO\",\"type\":\"com.vmware.sso.LoginFailure\"}

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

The vCenter Server was configured to connect to the LDAP directory using a bind account with invalid or outdated credentials. As a result, the LDAP bind request failed, and AD users were unable to authenticate.

Resolution

  • Log in to the vCenter Server using the vSphere Client with an account that has administrative privileges ([email protected]).
  • Navigate to: Menu > Administration > Single Sign-On > Configuration > Identity Sources
  • Edit the existing LDAP identity source:
  • Update the bind DN (Distinguished Name) user credentials with valid credentials.
  • Click Save to apply changes.
  • Retry logging in with an AD user to confirm the issue is resolved.

Additional Information

  • If LDAP bind credentials are invalid, the vCenter Server cannot query the LDAP directory, and all AD-based authentication will fail.

LDAP error code 49 is commonly associated with invalid credentials.

If the credentials change (e.g., due to password expiration), the bind account must be updated in the vCenter Server configuration.

Configuring Active Directory over LDAP authentication: https://knowledge.broadcom.com/external/article/316596 

  • The error code 49 may also occur in scenarios where the LDAP Identity Source is configured with a service account whose password has been changed, in Active Directory, but the new credentials have not been updated in the vCenter Single Sign-On (SSO) configuration, in this scenario, follow below steps:

    • Log in to the vSphere Client as an administrator (e.g., [email protected]).

    • Navigate to Administration > Single Sign-On > Configuration.

    • Under the Identity Sources tab, select the affected Active Directory (LDAP) or Active Directory (over LDAP) source.

    • Click Edit.

    • Update the Password field with the current, valid credentials for the configured service account.

    • Click Test Connection to verify the new credentials.

    • Click Save.

Powered by Wolken Software