In VMware Identity Manager 3.3.7, you may experience a situation where the environment becomes inaccessible at seemingly random intervals, often requiring a weekly restart of the horizon-workspace service.

Symptoms include:

• "vIDM Messaging Server Test Connection failed" errors in the UI.
• Health status of the vIDM instance appears as "Degraded".
• In connector.log, you observe the following error:

  2025-10-22T20:30:00,005 ERROR (pool-640757-thread-7) [;;;] com.vmware.horizon.directory.ldap.dc.commons.LdapPingChecker - Communication Error connecting to dc DC.domain for domain Domain.local javax.naming.CommunicationException: DC.domain:389

VMware Identity Manager 3.3.7.0

This issue is caused by inconsistent or incorrect NTP (Network Time Protocol) settings across the infrastructure. When the time on the VMware Identity Manager appliance drifts out of sync with the Domain Controller or other identity sources, LDAP communication and authentication tokens fail. This leads to a high number of waiting threads, eventually causing the service to become unresponsive.

Time synchronization is a Tier-0 requirement for Workspace ONE Access. The platform relies on precise timing for:

1. Token Validation: OAuth2 and SAML tokens have strict TTL (Time To Live) windows; if the clock differs from the Domain Controller or other nodes, the handshake is invalidated.

2. Cluster Management: Components like Pgpool and Watchdog require sub-second synchronization to maintain quorum.

1. External Connectivity Check

Before configuring the software, ensure your network infrastructure supports the sync:

• Firewall Rules: Verify that UDP Port 123 is open to allow NTP traffic between the vIDM appliances and your chosen NTP servers (typically your Domain Controllers).

2. Configure Time Synchronization

You can align the system clock using either the Appliance Configurator (GUI) or the command line (SSH).

Method A: Appliance Configurator (GUI)

1. Navigate to the vIDM management port: https://<vIDM_FQDN>:8443/cfg/login and log in with admin credentials.

2. Go to the Time Sync section: https://<vIDM_FQDN>:8443/cfg/timesync.

3. Choose your synchronization source:

   • Option 1 (Recommended): Enter the FQDN or IP addresses of your corporate NTP Servers.

   • Option 2: Select Sync time with the ESXi host (ensure the host itself is synchronized with a reliable source).

Method B: Command Line (SSH)

1. Log in to each vIDM appliance via SSH.

2. Update the NTP configuration file to point to your valid, consistent time source.

3. Verify the update and synchronization status using the date or timedatectl commands.

3. Service Remediation

Once the time source is configured and the OS clock is accurate:

1. Restart the workspace service to clear any existing hung threads caused by the previous time skew: service horizon-workspace restart

• Subscribe to this knowledge article to get updates on this issue.
• If the issue persists after synchronizing time, verify DNS health as outlined in KB 371733 to ensure the appliance can consistently resolve Domain Controller FQDNs.