• Active Directory (Integrated Windows Authentication) is configured as an Identity Source in vCenter Server.
• The "ReferralLdapException: Referral" error is observed in ssoAdminServer.log only during the generation of a vCenter Server log bundle:
  var/log/vmware/sso/ssoAdminServer.log
yyyy-mm-ddThh:mm:ss,nnnZ ERROR ssoAdminServer[***] [OpId=***] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Exception when calling ldap_search_s: base=DC=***, scope=***, filter=***, attrs=[***, attrsonly=***
com.vmware.identity.interop.ldap.ReferralLdapException: Referral
        at com.vmware.identity.interop.ldap.LdapErrorChecker$11.RaiseLdapError(LdapErrorChecker.java:183) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:1102) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1306) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1299) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.ldap_search_s(OpenLdapClientLibrary.java:843) [vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:323) [vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapConnection$3.call(LdapConnection.java:320) [vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapConnection.execute(LdapConnection.java:714) [vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:319) [vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapConnection.search(LdapConnection.java:288) [vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.findMemberDnsInGroupInRange(BaseLdapProvider.java:888) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findUsersInGroupInternal(ActiveDirectoryProvider.java:2353) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findUsersInGroup(ActiveDirectoryProvider.java:504) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.findPersonUsersInGroup(IdentityManager.java:4797) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.findPersonUsersInGroup(IdentityManager.java:10965) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.findPersonUsersInGroup(CasIdmClient.java:2243) [vmware-identity-idm-client-7.0.0.jar:?]
        at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.findPersonUsersInGroup(PrincipalManagementImpl.java:728) [sso-adminserver-7.0.0.jar:?]
• The vCenter Server log bundle itself is created successfully.
• The error occurs specifically when the log bundle collection process triggers an SSO API call to FindUsersInGroup.

VMware vCenter Server 8.*

The error indicates that the Active Directory domain controller is returning an LDAP referral in response to the FindUsersInGroup API call. vCenter Server doesn't support LDAP referrals. Further investigation by the Active Directory administration team is required to determine why the referral is being generated.

Since the error only occurs during log bundle collection and does not affect functionality, it can be safely ignored.

When vCenter Server issues SAML tokens or resolves user permissions during login, it utilizes the FindDirectParentGroups and FindNestedParentGroups APIs. These calls do not appear to trigger the ReferralLdapException. This error has no impact on normal vCenter Server operations or user logins.