The Active Directory Identity Source is pointed to the root domain, or using a load balancer having several domain controllers available to choose from.

Failed to bind errors found at random intervals in /var/log/vmware/sso/websso.log similar to the following:

YYYY-MM-DDTHH:MM:SSZ WARN websso[##:tomcat-http--##] [CorId=<unique ID>] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 49
YYYY-MM-DDTHH:MM:SSZ WARN websso[##:tomcat-http--##] [CorId=<unique ID>] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -5

Errors coming from the domain controllers shown in /var/log/vmware/sso/ssoAdminServer.log similar to the following:

YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[###:pool-#-thread-##] [OpId=<unique ID>] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -5
YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[###:pool-#-thread-##] [OpId=<unique ID>] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldap://<AD Domain>, <vCenter Domain>]
YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[###:pool-#-thread-##] [OpId=<unique ID>] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://<AD Domain>] because [com.vmware.identity.interop.ldap.TimeoutLdapException] with reason [Timed out] therefore will try to attempt to use secondary URIs, if applicable

Eventually, authentications for Active Directory users will succeed.

VMware vCenter Server 8.x

One or more of the domain controllers is not working correctly for authentication through vCenter Server.  When this domain controller is selected at random by vCenter Server or by the load balancer, the authentication fails.  Investigate the domain controllers being used to identify the cause of the failure.

• Using the lw-measure tool to detect latency between vCenter Server and Active Directory domain controllers
• Using checkADConfig to detect connectivity and DNS issues between vCenter Server and Active Directory

 Reconfigure the identity source to use only known/good domain controllers.

• Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

For issues where Read-only domain controllers are found:

• All the ad users not able to authenticate to vcenter

For issues where the ldap connection fails to bind citing "invalid credentials in the logging"

• Active Directory (AD) Users Unable to Log In to vCenter Server Due to Invalid LDAP Bind Credentials