Users are unable to log in to the vCenter Server vSphere Client using Active Directory (AD) credentials. Logins using local SSO accounts (e.g., [email protected]) continue to work.

This issue commonly occurs after the SSL certificate on the external Active Directory Load Balancer or Domain Controller (the LDAPS provider) has been renewed or changed.

• VMware vCenter 7.x
• VMware vCenter 8.x

vCenter's Single Sign-On (SSO) component caches the certificate from the LDAPS provider (e.g., your Active Directory Load Balancer) to build a secure trust.

When your AD LB certificate is renewed, vCenter is still configured with the old, cached certificate. This no longer matches the new certificate presented by the LB. This trust mismatch causes the secure LDAPS connection to fail, and as a result, all Active Directory logins stop working.

The solution is to update the existing Identity Source configuration in vCenter with the new certificate. This requires you to log in using a local SSO administrator account (like [email protected]).

Obtain the New AD Load Balancer Certificate

1. First, you must export the new public certificate (and its full trust chain) from your AD Load Balancer. You may need to get this from your network or security team. Save this as a .cer or .crt file.

Update the vCenter Identity Source

1. Log in to the vSphere Client as [email protected].
2. Navigate to the Menu and select Administration.
3. Under Single Sign On, click Configuration.
4. Select the Identity Sources tab.
5. Find your Active Directory (over LDAP) identity source in the list and select it.
6. Click Edit.
7. In the edit wizard, locate the Certificates (for LDAPS) section.
8. Click the Browse button (or the add/remove certificate icon).
9. Remove the old, expired certificate(s) for your AD LB.
10. Add (upload) the new certificate file you obtained in Step 1.
11. Click Save to apply the changes.

After saving, Active Directory logins should be restored immediately.

Workaround

If the "Edit" method does not resolve the issue, you can remove and re-add the identity source.

Warning: Before removing the identity source, take screenshots of all its settings (Primary server URL, Base DN for users, Base DN for groups, etc.). You will also need to re-add your AD groups to vCenter roles (under "Global Permissions" or other objects) after re-adding the source.

1. Navigate to Administration > Single Sign On > Configuration > Identity Sources.
2. Select the problematic AD identity source and click Remove.
3. Click Add to create a new identity source.
4. Select Active Directory over LDAP.
5. Fill in all the same configuration details you noted down.
6. When you reach the Certificates (for LDAPS) section, upload your new certificate file.
7. Complete the wizard to add the source back.

KB 383112: AD Authentication Failure in vCenter Due to LDAPS Certificate Mismatch

KB 316596: Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)