Unable to login to vCenter using AD credentials after changing domain controller certificate - Cannot configure identity source due to Certificate is not valid: NotAfter
search cancel

Unable to login to vCenter using AD credentials after changing domain controller certificate - Cannot configure identity source due to Certificate is not valid: NotAfter

book

Article ID: 420874

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After changing the Domain Controller certificate Active Directory user can no longer log into vcenter

Importing the new domain controller certificate into the Identity Source configuration shows the error:
"Cannot configure identity source due to Certificate is not valid: NotAfter: ''#######Certificate Expiry Date#######."

 

In Virtual center log file /var/log/vmware/sso/websso.log you see errors similar to:

 

source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [###AD User account name####]. Login failed], detailText=[Login failed], corelationId=[###ID number###], timestamp=[#######]

2025-12-03T07:47:50.898Z ERROR websso[66:tomcat-http--28] [CorId=#########] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [###AD User account name####]. Login failed

javax.security.auth.login.LoginException: Login failed

at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.authenticate(LdapWithAdMappingsProvider.java:458) ~[libvmware-identity-idm-server.jar:?]

at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3134) [libvmware-identity-idm-server.jar:?]

at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:10530) [libvmware-identity-idm-server.jar:?]

at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1303) [libvmware-identity-idm-client.jar:?]

at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [libwebsso.jar:?]

at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:95) [libwebsso.jar:?]

Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

This is expected behavior. Changing the domain controller certificate means the identity source provider for Active Directory in the vCenter is still using the old certificate as noted by the certificate expiry error. Removing the existing identity provider and adding it back in with the new certificate resolves the mismatch and allows active directory log in to proceed. 

Resolution

Take valid backup/snapshot of vCenter server (offline snapshots of vCenter server in ELM)
Note down/record all existing domain user and group permissions.
Remove existing identity source, re-add the identity source.
Re-add domain user and group permissions (once identity source is added successfully)
Make sure the chosen identity source is set to default
Refer : Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL

Powered by Wolken Software