• Active Directory (Integrated Windows Authentication) has been added to vCenter Server as a Single Sign-On Identity Source.
• The specific user is not included in the Administrators group within the vSphere Client.
    vSphere Client > Administration > Single Sign-On > Users and Groups > Groups > Administrators
• The authz-data.json file, which is output in the vCenter Server log bundle, contains the specific user as a member of the Administrators group.
  var/log/vmware/vpxd/authz-data.json
    "users": {
        "###\\The specific user": {
                {
                    "name": "Administrators",
                    "domain": "vsphere.local"
                },
• A lingering SID formatted member remains in the Administrators group.
  # /usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators --login administrator --password ###
externalObjectId=S-1-5-21-###

# /opt/likewise/bin/ldapsearch -LLL -h localhost -p 389 -x -b "dc=vsphere,dc=local" -s sub -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w *** "cn=Administrators"
dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
member: externalObjectId=S-1-5-21-###
• The name of the SID member can be confirmed from the extensionName output of the below command.
  # /opt/likewise/bin/ldapsearch -LLL -h localhost -p 389 -x -b "cn=ForeignSecurityPrincipals,dc=vsphere,dc=local" -s sub -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w ####### dn: cn=ForeignSecurityPrincipals,dc=vsphere,dc=local
dn: externalObjectId=S-1-5-21-###,cn=ForeignSecurityPrincipals,dc=vsphere,dc=local
objectClass: foreignSecurityPrincipal
extensionName: The specific user@Domain name
  
  
• Edititng or changing the SSO, and running prechecks you get the following: "Foreign security principal not found; associated vCenter group memberships could not be converted into a format compatible with the provider"

VMware vCenter Server 8.x

This issue occurs if someone, at some point, tried to remove the AD principal from the local vCenter Server group after removing the AD identity source from the vCenter Server.
Without the AD identity source, the AD principal will still be displayed as a member of the local vCenter Server group, due to the UPN formatted FSP group membership. But if this AD principal were to be removed from the vCenter Server group, it would be unable to query AD for the principal's SID and therefore, would end up only removing the AD principal's UPN formatted FSP membership and not the principal's SID formatted FSP group membership.

To resolve the issue, can follow the Resolution options in the article "Users or groups from Active Directory are not visible in SSO local group in vSphere Client". As explained in Resolution Option 1, use the steps below to remove the lingering SID formatted FSP group membership from the Administrators group.

0. Before undertaking any of the options listed below, take OFFLINE snapshots of both vCenter Servers in ELM/LM and ONLINE snapshot for standalone vCenter Server. For more details refer to article "Snapshot Best practices for vCenter Server Virtual Machines".

1. Check and memo the SID member "S-1-5-21-###".
# /opt/likewise/bin/ldapsearch -LLL -h localhost -p 389 -x -b "dc=vsphere,dc=local" -s sub -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w ####### "cn=Administrators"
dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
member: externalObjectId=S-1-5-21-###

2. Create a file on the vCenter Server (e.g., remove_AD_principal_from_Administrators_group.ldif) with the following content (Use the S-1-5-21-### value checked in Step 1.):
dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
changetype: modify
delete: member
member: externalObjectId=S-1-5-21-###

3. Run the ldapmodify command with the LDIF file:
/opt/likewise/bin/ldapmodify -x -W -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -f remove_AD_principal_from_Administrators_group.ldif

IF you are getting the Precheck error on editing/changing your SSO, and the error remains after running the above steps:

1. Take a snapshot of the vCenter.
2. Use jXplorer to connect to the ldap or ldaps SSO of vCenter, and remove the offending entry:
   1. Browse to "ForeignSecurityPrincipals"
   2. Once you found the entry, right click on it and select "Delete".
   3. The SID in question may be in the "root" of "ForeignSecurityPrincipals" So is only reachable through jXplorer.
3. See KB 301632 for more information.
4. Don't forget to clean up your snapshots after verifying the change is successful.

Users or groups from Active Directory are not visible in SSO local group in vSphere Client
How to export VMDir information from vCenter Server Appliance
Single Sign-On fails to authenticate users and returns LDAP error: ReferralLdapException