• User fails to login with Smartcard (token)
• User has the same account name in domain1 and in domain 2
• vCenter is configured with 2 domain LDAPs Identity Sources

vCenter 8.x

Users who belong to a domain that is not the default domain must include the domain name when they log in.

• Set the default domain to authenticate a user who logs in without a domain name.
• Follow Considerations when migrating a vCenter Identity Source from Integrated Windows Authentication to AD over LDAP / OpenLDAP.

Each identity provider,

Uses an Active Directory Global Catalog corresponding to that domain in the Primary Server URL.
The Base DN for users and Base DN for groups must be of the top-level domain (e.g. DC=example,DC=com). This allows for vCenter to query Active Directory Global Catalog in full, and not be scoped to a particular domain.
If Base DN for users and Base DN for groups were to be configured as DC=domain-b,DC=example,DC=com, then the identity provider would only be able to query information about domain-b, and will exclude everything about domain-a and domain-c.
Has an alias to allow for NETBIOS name use when users authenticate. (e.g. "domain-b\user01" vs "[email protected]"

Each identity provider,

• • Uses an Active Directory Global Catalog corresponding to that domain in the Primary Server URL.
  • The Base DN for users and Base DN for groups must be of the top-level domain (e.g. DC=example,DC=com). This allows for vCenter to query Active Directory Global Catalog in full, and not be scoped to a particular domain.
    • If Base DN for users and Base DN for groups were to be configured as DC=domain-b,DC=example,DC=com, then the identity provider would only be able to query information about domain-b, and will exclude everything about domain-a and domain-c.
  • Has an alias to allow for NETBIOS name use when users authenticate. (e.g. "domain-b\user01" vs "[email protected]"