You experience intermittent authentication failures when attempting to authenticate via VMware Identity Manager. This issue is often observed when VMware Identity Manager is serving as the identity provider for NSX Managers.

When reviewing the service logs, you see errors indicating a communication failure with specific Domain Controllers, similar to the following:

com.vmware.horizon.directory.ldap.dc.commons.LdapPingChecker - Communication Error connecting to dc.

VMware Identity Manager 3.3.x

This issue is caused by a lack of network connectivity between the VMware Identity Manager appliance and specific Domain Controllers (DCs) configured in the environment. This frequently occurs when new Domain Controllers are added to the environment but the necessary firewall rules or routing configurations have not yet been applied to allow traffic from the VMware Identity Manager nodes.

To resolve this issue, ensure that the VMware Identity Manager appliance can communicate with all configured Domain Controllers.

1. Identify the failing Domain Controllers by reviewing the logs for the Communication Error message.

2. Verify network connectivity from the VMware Identity Manager appliance to the new Domain Controllers.

3. Ensure that all required ports (typically TCP 389 for LDAP or 636 for LDAPS) are open between the appliance and the Domain Controllers.

4. Verify that DNS resolution is functioning correctly for the hostnames of the new Domain Controllers.