• This article explains the issue where users from a trusted Active Directory (AD) domain are unable to log in to a vCenter Server configured with Active Directory over LDAP as the Identity Source. It also describes why this occurs and how to correctly configure identity sources when Active Directory trusts are involved.
  
  
• Users from a trusted AD domain are unable to authenticate to the vCenter Server. vCenter login fails with the following error: “Invalid credentials”.
  
  
• The trusted domain is in a two-way trust relationship with the primary Active Directory domain. 
   
• Two way AD Domain trust is configured, example : 
  • Primary Domain : example.com
  • Trusted Domain : example1.com 
    
    
• Following log entries are observed within the vCenter Server when users from the Trusted Domain attempts to login, under the log path - /var/log/vmware/sso/websso.log - 
  

  YYYY-MM-DDTHH:MM:SS INFO websso[49:tomcat-http--11] [CorId=we#####-####-####-####-########78] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[local_SSO_domain], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [example1.com\User_Name]. Access denied], detailText=[Access denied], corelationId=[we#####-####-####-####-########78], timestamp=[Timestamp]
  YYYY-MM-DDTHH:MM:SS ERROR websso[49:tomcat-http--11] [CorId=we#####-####-####-####-########78] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [example1.com\User_Name]. Access denied
  com.vmware.identity.idm.IDMLoginException: Access denied
          at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3125) [libvmware-identity-idm-server.jar:?]
          at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:10530

VMware vCenter Server

The issue occurs because of the authentication mechanism of Active Directory over LDAP which does not allow users from the trusted domain to authenticate to vCenter Server as LDAP does not have built in trust traversal and each domain must be explicitly added as a separate identity source. 

To allow users from the trusted AD domain or child domain to log in to vCenter Server, the trusted domain/child domain should be added as a separate LDAP Identity Source to the vCenter Server. 

Follow the steps as per the following document to add the Trusted Domain as another Identity Source in vCenter Server - Add or Edit a vCenter Single Sign-On Identity Source. 

Microsoft Active Directory Trusts supported with VMware vCenter Single Sign-On