• Users cannot login to vCenter
  
  
• vCenter is configured for ADFS Federation
  
  
• Password for the AD over LDAP(s) connection has been changed. In the Users and Groups panel, enter user and group information for the Active Directory over LDAP connection to search for users and groups.

• There is a duplicate LDAP(s) configured Identity Source when running: vcsa# sso-config.sh -get_identity_sources

vCenter 8.x

• There is a stale LDAP(s) Identity Source configuration observed when running  'sso-config.sh -get_identity_sources'.
  
  
• The stale Identity Source credentials are used for the AD over LDAP(s) connection instead of the vSphere Client UI configuration.
  
  
• When ADFS Federated, there should only be SYSTEM and LOCAL_OS domains when getting identity sources from the CLI.

root@vcenter8 [ ~ ]#  sso-config.sh -get_identity_sources

Total number of identitysources retrieved for tenant:vsphere.local : 2
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName        :  vsphere.local
DomainType                :  SYSTEM_DOMAIN

********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName        :  localos
DomainType                :  LOCAL_OS_DOMAIN

1) Backup vCenter using the VAMI and take a snapshot of vCenter.

2) Delete the stale Identity Source where IdentitySourceName is the identityStoreName.

vcsa# sso-config.sh -delete_identity_source -i identityStoreName

Note: Do NOT Delete IdentitySourceName vsphere.local (SYSTEM DOMAIN) or localos (LOCAL_OS_DOMAIN)

3) Restart vCenter Services

vcsa# service-control --stop --all;service-control --start --all

Tip: Monitor service restart in a duplicate ssh session,

vcsa# watch "service-control --status"

4) Test user login and check user/group permissions are retained. If not, revert to backup and contact support.

5) Test updating the ADFS Federated AD over LDAP(s) connection bind account and user login as needed.