• Attempting to add users to VCF Operations for Logs via a group.
• The email UPN has the format (<user>@example.com) which differs from the domain added to vIDB (example.net)
• Users are able to login to VCF Operations for Logs but they have no permissions upon login.
• You experience intermittent Single Sign-On (SSO) failures in VCF Operations for Logs.
• You cannot add Active Directory groups or authenticate users via SSO when both native Active Directory (AD) and vSphere SSO (VIDB) are concurrently enabled.
• Connection tests for both AD and SSO show as successful in the UI, but attempts to add groups fail.

VMware Cloud Foundation Operations for logs 9.0.1.0
VCF Identity Broker 9.0.x

An authentication conflict occurs when you enable both vSphere SSO (VIDB) and native AD concurrently. The system queries your native AD configuration first for group enumeration and user resolution. This process fails if your native AD integration lacks visibility into the specific domain or trusted forest, which prevents the vSphere SSO authentication sequence from completing.

You see the following authentication errors in the /storage/var/loginsight/runtime.log when both are enabled:

[2026-03-12 16:37:15.660+0000] ["CheckPerformer-thread-1"/##.###.###.### WARN] [com.vmware.loginsight.prodcheck.lib.ActiveDirectoryCheck] [Wasn't able to authenticate to active directory]
com.vmware.loginsight.commons.exceptions.AuthenticationException: Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.

[2026-03-12 16:39:38.708+0000] ["https-openssl-apr-443-exec-7"/##.###.###.### ERROR] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Error creating group]
com.vmware.loginsight.commons.exceptions.AuthenticationException: Unable to validate Active Directory group. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.  

2026-03-12 16:45:49.212+0000] ["https-openssl-apr-443-exec-6"/##.###.###.### INFO] [com.vmware.loginsight.aaa.ad.ActiveDirectoryAuthenticator] [Failed authentication attempt for parsed users [ `[EMAIL]`] ] in domain [ `[`[HOSTNAME]` ]]
com.vmware.loginsight.commons.exceptions.AuthenticationException: Invalid or untrusted domain '`[`[HOSTNAME]`'.

Engineering is aware of this issue and is working on a resolution for an upcoming release.

To work around this issue, you can use one of the following two options:

Option 1: Disable Native Active Directory (Recommended) If you do not strictly require the native Active Directory integration, you can disable it to allow your vSphere SSO groups to synchronize successfully.

1. Disable the native Active Directory configuration within VCF Operations for Logs.

2. Rely exclusively on your vSphere SSO (VIDB) configuration (which can have AD configured as its own identity source) for user authentication and group management.

Option 2: Add Users Individually If you must keep both native AD and vSphere SSO enabled concurrently, you must bypass group-based provisioning and add users individually.

1. Log in to the VCF Operations for Logs UI.

2. Expand the main menu and navigate to Management > Access Control.

3. Select Add User.

4. Enter the user details manually, ensuring you assign the correct domain (i.e., @example.com).

5. Save the entry and have the user attempt a fresh logon.

 Create a User Account

VMware Cloud Foundation 9.0 - Configuring VCF Single Sign-On