Unable to Login to vCenter Server with AD domain accounts as it fails with "Invalid Credentials" Error: due to AD Service account locked, disabled, or has an expired password.
search cancel

Unable to Login to vCenter Server with AD domain accounts as it fails with "Invalid Credentials" Error: due to AD Service account locked, disabled, or has an expired password.

book

Article ID: 425470

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In vCenter, when accessing Users and Groups from the admin SSO login, the following error is displayed: 'A vCenter Single Sign-On Service error occurred.'


Log Location: /var/log/vmware/sso/vmware-identity-sts.log

YYYY-MM-DDT.077Z INFO sts[57:tomcat-http--11]
[corId=fXXXXXX6-7XXXXXXXXXc-XXXXXXX7]
[com.vmware.identity.diagnostics.VmEventAppender]
EventLog:
source=[VMware Identity Server],
tenant=[vsphere.local],
eventid=[USER_NAME_PWD_AUTH_FAILED],
level=[ERROR],
category=[VMEVENT_CATEGORY_STS],
text=[Failed to authenticate principal [svc_@domain]. Login failed],
detailtext=[Login failed],
correlationId=[fXXXXXX6-7XXXXXXXXXc-XXXXXXX7],
timestamp=[1768440751077]

YYYY-MM-DDT.077Z ERROR sts[57:tomcat-http--11]
[com.vmware.identity.idm.server.IdentityManager]
Failed to authenticate principal [svc_@domain]. Login failed

javax.security.auth.login.LoginException: Login failed
    at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.authenticate(LdapWithAdMappingsProvider.java:458)
    at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3170)
    at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:10605)
    at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1303)
    at com.vmware.identity.sts.idm.impl.AuthenticatorImpl.authenticate(AuthenticatorImpl.java:91)
    at com.vmware.identity.sts.auth.impl.UNTAAuthenticator.authenticate(UNTAAuthenticator.java:89)YYYY-MM-DDT.076Z ERROR sts[57:tomcat-http--11]
[corId=fXXXXXX6-7XXXXXXXXXc-XXXXXXX7]
[com.vmware.identity.interop.ldap.OpenLdapClientLibrary]
Server SSL certificate not trusted: Subject ()

YYYY-MM-DDT.076Z WARN sts[57:tomcat-http--11]
[corId=fXXXXXX6-7XXXXXXXXXc-XXXXXXX7]
[com.vmware.identity.interop.ldap.LdapErrorChecker]
Error received by LDAP client:
com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1

 Log Location : /var/log/vmware/sso/ssoAdminServer.log


YYYY-MM-DDT.077Z ERROR ssoAdminServer[104:pool-2-thread-5] [OpId=########-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://example.com:389] because [Invalid credentials] therefore will not attempt to use any secondary URIs
YYYY-MM-DDT.077Z ERROR ssoAdminServer[104:pool-2-thread-5] [OpId=########-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldap://example.com:389 ]; tenantName [vsphere.local], userName [example\user01]'
Caused by: com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials

 

Environment

vCenter server 7.x

vCenter server 8.x

Cause

If the Active Directory (AD) service account used for the Identity Source becomes locked, disabled, or has an expired password, AD user logins to vCenter will fail.

Resolution

To resolve this issue, follow the steps below

  1. Delete the Current Identity Source
    • Log in to the vSphere Client.
    • Navigate to: Menu > Administration > Single Sign-On > Configuration > Identity Provider > Identity Sources.
    • Select the current Identity Source and click Remove.
  2. Validate the AD Certificate
    • Connect to the vCenter Server via an SSH session.
    • Run the following command to verify the Active Directory (AD) certificate:
      • openssl s_client -connect <domain_controller>:636 -showcerts
    • Sample output:
      -----BEGIN CERTIFICATE-----
      MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAA
      BDANBgkqhkiG9w0BADSHDFSJnjdwEQYK
      ..........snip..........
      TmqX6mnsaxcjushyuVGYHGVBJKNW5Z5L
      hYZhHKsf9CmZa12j/ODfznFtAgbPNw==
      -----END CERTIFICATE-----

  3. Save the Certificate
    • Copy the certificate output to a file and save it with a .cer extension.
  4. Add a New LDAP Identity Source
    • Log in to the vSphere Client.
    • Navigate to: Menu > Administration > Single Sign-On > Configuration > Identity Provider > Identity Sources.
    • Click Add and follow the prompts to configure the new LDAP Identity Source using the saved certificate.
  5. See the example configuration below:

Note:

  • Ensure the AD service account used has proper permissions.
  • Verify network connectivity to the domain controller on port 636 (LDAPS).
  • If you have an existing Identity Source with the same name, you cannot add both simultaneously.

Additional Information

Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

Powered by Wolken Software