Service accounts from Active Directory are unable to log into the Aria Automation API, resulting in an "HTTP 400 Bad Request" error. These accounts were previously able to log in successfully. This issue is verified by API calls made via tools like Postman failing with the specified error.

Aria Automation

VMware Identity Manager

The failure of Active Directory service accounts to log into the Aria Automation API is caused by an SSL/TLS certificate issue during communication with the Active Directory service. This occurs because the Active Directory certificates were recently updated, but VMware Identity Manager (which manages Active Directory integration for Aria Automation) was not subsequently updated with the new, trusted certificates.

Review of the connector.log reveals critical errors indicating a problem with the secure communication handshake:

2025-09-23T13:45:01,756 ERROR (Thread-7) [<TENANT>;Service__OAuth2Client@<TENANT>;#.#.#.#;] com.vmware.horizon.connector.restapi.identity.resource.authbroker.apiauth.APIAuthResource - Failed to login com.vmware.horizon.authAdapter.AuthAdapterConfigException: Call to Directory Service failed.

Caused by: com.vmware.horizon.directory.DirectoryServiceException: Directory connectivity or configuration error (Err #002a).

Caused by: javax.net.ssl.SSLHandshakeException

Caused by: java.security.cert.CertificateException

These log entries specifically point to javax.net.ssl.SSLHandshakeException and java.security.cert.CertificateException, confirming an issue with the SSL/TLS certificate during the secure communication handshake. As a result, Aria Automation's Identity Manager attempts to establish a secure connection with Active Directory using an outdated or untrusted certificate, leading to the handshake failure and preventing authentication, thus causing the "Call to Directory Service failed" error and the subsequent "HTTP 400 Bad Request" in the API.

To resolve the Active Directory authentication failure, the updated Active Directory certificate must be configured within the VMware Identity Manager (now Workspace ONE Access) UI. When the Active Directory certificate is updated, VMware Identity Manager (which acts as the authentication source for Aria Automation against Active Directory) requires the new certificate to be explicitly configured. This ensures that secure communication (SSL/TLS handshake) between Identity Manager and Active Directory can be re-established successfully. Configuring the updated certificate, verifying the Bind DN credentials, and performing a directory sync allows Identity Manager to trust the Active Directory server again, enabling proper synchronization and, crucially, allowing service accounts to authenticate and log into the Aria Automation API without certificate-related SSLHandshakeException errors.

Steps:

1. Log in to the VMware Identity Manager (Workspace ONE Access) UI.
2. Navigate to the Directory settings for the affected Active Directory instance.
3. Update the new Active Directory certificate within these settings.
4. Provide and confirm the Bind DN password.
5. Click "Test Connection" to verify successful communication with Active Directory using the new certificate.
6. Perform a "Directory Sync" to ensure all directory information is up-to-date.