Aria Orchestrator workflows, when called from Aria Automation, intermittently fail because an LdapGroup type variable linked to a configuration is not initialized, returning "notfound." This leads to workflow failure despite the Active Directory (AD) group existing and the configuration variable remaining unchanged. Occasionally, the variable initializes correctly, returning the name of the AD group.

The issue manifests with the following error messages in the vRealize Orchestrator (vRO) logs:

2025-09-23T17:28:46.749Z ERROR vco [host='vco-app' thread='WorkflowExecutorPool-Thread-114' user='<USERID>' org='<ORGID>' trace='-'] {|__SYSTEM|USERID:<WORKFLOW> - Confirmation adresses IP:<IOP_ID>com.vmware.o11n.security.csp.CspLdapFactory - Can not find groups for <LDAPGROUP>.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: "{"headers":{},"body":{"timestamp":TIME,"type":"CLIENT_ERROR","status":"401 UNAUTHORIZED","error":"Unauthorized","serverMessage":"Authentication failed."},"statusCode":"UNAUTHORIZED","statusCodeValue":401}"

This indicates an Unauthorized (HTTP 401) error with an "Authentication failed" message when vRO attempts to query for LDAP groups, leading to the Can not find groups error and the variable returning "notfound".

Aria Automation Orchestrator

Active Directory Plugin

Active Directory Domain Controller

The intermittent authentication failures and inability to find LDAP groups are due to an underlying issue with one or more Active Directory Domain Controllers (DC) in the environment. When the Microsoft Active Directory plugin in vRO is configured to use the domain name for connection, it implicitly relies on DNS resolution to provide a list of available Domain Controllers. If there is a failed, decommissioned, or otherwise unhealthy Domain Controller within the environment, vRO's attempts to connect to it can intermittently fail with an Unauthorized (401) error, as seen in the logs. This prevents the plugin from successfully querying for LDAP groups, leading to the "Can not find groups" error and the LdapGroup variable remaining uninitialized ("notfound"). The intermittent nature of the issue is explained by vRO successfully connecting to a healthy DC at other times.

To prevent intermittent authentication failures caused by problematic Active Directory Domain Controllers, reconfigure the Microsoft Active Directory plugin in vRO to explicitly use a specific, healthy Domain Controller by its IP address or fully qualified domain name (FQDN), rather than relying on the domain name for resolution. Optionally, configure a failover server.

By configuring the Microsoft Active Directory plugin to use a specific, known-good Domain Controller, vRO will consistently direct its authentication and LDAP queries to a reliable server. This bypasses any intermittent issues caused by unhealthy or inaccessible DCs that might be contacted when relying on domain-level DNS resolution, thereby ensuring stable and successful communication. This direct targeting eliminates the "Unauthorized" errors and allows the LdapGroup variable to resolve correctly every time, ensuring workflow completion.

Steps:

1. Access the vRealize Orchestrator Control Center or client where the Active Directory plugin is managed.
2. Navigate to the configuration settings for the Microsoft Active Directory plugin.
3. Locate the server configuration for the domain in question.
4. Instead of specifying the domain name, enter the IP address or FQDN of a known healthy Active Directory Domain Controller.
5. Optionally, specify a secondary, healthy Domain Controller as a failover server.
6. Save the configuration changes and restart the AD plugin or vRO services as required for the changes to take effect.