• A new Identity Source is being configured in vCenter Server for AD over LDAP, using LDAP (TCP/636). 
• The domain controller being configured is being added by IP rather than FQDN for one reason or another (i.e. the domain name contains numbers so it will not pass validation in the vCenter UI)
• TCP port 636 is confirmed open between the vCenter Server and the Domain Controller.
• The proper certificate is being added to the Identity Source for the vCenter to trust the DC's leaf certificate. 
• Error "Cannot configure identity source due to Failed to probe provider connectivity...Caused by: Can't contact LDAP server" is observed. 

• In the vCenter Server /var/log/vmware/sso/sts-runtime.log.stderr log file, the following log print is observed corresponding to the timestamp when the Identity Source configuration was attempted. 
  
  2026-02-25T21:32:43.153Z ERROR [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] ldap_bind_s : Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match CN in peer certificate

VMware vCenter Server

While this error can occur due to any number of problems that would cause the vCenter Server to be unable to connect to the Domain Controller on secure port TCP 636 (i.e. blocked network ports, no network route, mismatching certificate trust), this specific cause is because the Domain Controller is being added by its IP in the Identity Source but its leaf certificate does not contain its IP as a Subject Alternative Name. 

This can be fixed by either;

• Configuring the Domain Controller by FQDN in the vCenter Server Identity Source, if possible
• Re-issuing a new leaf certificate for the Domain Controller being configured, adding its IP(s) as Subject Alternative Names in the new certificate.  

See Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS) for more information.