• When trying to Add an Identity Source using Active Directory over LDAPs, operation fails with Error:

" Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://DOMAIN-Controller:636 ldaps://DOMAIN-Controller:636 ]; tenantName [vsphere.local], userName [DOMAIN\username] Caused by: Can't contact LDAP server.

• Below snippets will be noticed in the /var/log/vmware/sso/ssoAdminServer.log :

20xx-xx-xxT10:59:04.892Z INFO ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [auditlogger] {\"user\":\"[email protected]\",\"client\":\"\",\"timestamp\":\"xx/xx/xx25 10:59:04 GMT\",\"description\":\"Updating ldap identity source 'DomainController.COM' details to ..
..
ssoAdminServer.log:20xx-xx-xxT10:59:04.912Z WARN ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://ny6n-infwads01.DomainController.COM:636,[email protected]]
ssoAdminServer.log:20xx-xx-xxT10:59:04.912Z ERROR ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://DC01.DomainController.COM:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
ssoAdminServer.log:20xx-xx-xxT10:59:04.912Z WARN ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [com.vmware.identity.idm.server.IdentityManager] Failed to probe provider connectivity [URI: ldaps://DC01.DomainController.COM:636 ldaps://DC02.DomainController.COM:636 ]; tenantName [vsphere.local], userName [[email protected]]
ssoAdminServer.log:20xx-xx-xxT10:59:04.912Z ERROR ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldaps://DC01.DomainController.COM:636 ldaps://DC02.DomainController.COM:636 ]; tenantName [vsphere.local], userName [email protected]]'
ssoAdminServer.log:20xx-xx-xxT10:59:04.912Z ERROR ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Failed to probe provider connectivity [URI: ldaps://DC01.DomainController.COM:636 ldaps://DC02.DomainController.COM:636 ]; tenantName [vsphere.local], userName [[email protected]]
ssoAdminServer.log:20xx-xx-xxT10:59:04.912Z INFO ssoAdminServer[98:pool-2-thread-2] [OpId=mfnm1uz6-178388-auto-3tnb-h5:70030232] [com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] Failed to probe provider connectivity [URI: ldaps://DC01.DomainController.COM:636 ldaps://DC02.DomainController.COM:636 ]; tenantName [vsphere.local], userName [[email protected]]

• External DNS servers configured on the vCenter are able to resolve the forward and reverse DNS lookup of the Domain Name

• Domain controller doesn't show the certificate when trying to fetch using openssl command on vCenter server:
  
  openssl s_client -connect domain_controller.example.com:636 -showcerts

For ex:


  • CONNECTED(00000003)

    write:errno=104

    ---

    no peer certificate available

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 0 bytes and written 314 bytes

    Verification: OK

• LDAPS port 636 is open for domain controller.

• Certificate is valid (You can validate whether the certificate from same domain controller is working fine on another vCenter server if available in the environment).

VMware vCenter Server 8.0.x

This issue can occur in the scenario when Domain Controller is unable to respond to the vCenter server queries.