Attempting to log into vCenter results in the error message "invalid credentials" even though the credentials are correct. 

/var/log/vmware/sso/ssoAdminserver.log shows the following error

 "obtainDcInto for domain [domain name] failed Cannot determine <FQDN OF READ ONLY DOMAIN CONTROLLER> is valid domain controller""


This issue is observed when Read-Only Domain controllers (RODCs) are configured in the environment and those DCs are not listed in nslookup against the domain name.

Add the IP Address of the failing domain controllers in Likewise BlacklistedDCs list by following below steps:

• SSH to the vCenter Server

• Add the IP address of Domain Controllers to BlacklistedDCs by executing below command:
  
  /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\netlogon\Parameters]' BlacklistedDCs "IP_of_Problematic_ReadOnly_DC_1,IP_of_Problematic_ReadOnly_DC_2"
  
  Note: It is comma separated values, likewise service on VCSA will not try to contact these domain controllers when IWA is configured on vCenter Server.
  
  

• Restart the likewise and SSO services (this involves downtime as vmafd/vmdird and SSO services will be restarted)
  
  /opt/likewise/bin/lwsm restart lwreg

service-control --restart vmware-stsd