LDAPs authentication for AD users on the vCenter Server is not working intermittently.
search cancel

LDAPs authentication for AD users on the vCenter Server is not working intermittently.

book

Article ID: 434569

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • This is an intermittent issue.
  • The login attempt fails with invalid username or password error.

/var/log/vmware/sso/websso.log/websso.log

[YYYY-MM-DD]T[HH:MM:SS.SSS]Z INFO websso[63:tomcat-http--17] [CorId=5b310f07-xxxx-xxxx-xxxx-240e59dce92b] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [<USER>@<DOMAIN>]. Login failed], detailText=[Login failed], corelationId=[5b310f07-xxxx-xxxx-xxxx-240e59dce92b], timestamp=[xxxxxxxxxxxxx]

[YYYY-MM-DD]T[HH:MM:SS.SSS]Z ERROR websso[63:tomcat-http--17] [CorId=5b310f07-xxxx-xxxx-xxxx-240e59dce92b] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [<USER>@<DOMAIN>]. Login failed

[YYYY-MM-DD]T[HH:MM:SS.SSS]Z ERROR websso[63:tomcat-http--17] [CorId=5b310f07-xxxx-xxxx-xxxx-240e59dce92b] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Server SSL certificate not trusted: Subject (CN=<DC-NAME>.<DOMAIN>)

[YYYY-MM-DD]T[HH:MM:SS.SSS]Z ERROR websso[63:tomcat-http--17] [CorId=5b310f07-xxxx-xxxx-xxxx-240e59dce92b] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://<DOMAIN>] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable

[YYYY-MM-DD]T[HH:MM:SS.SSS]Z ERROR websso[63:tomcat-http--17] [CorId=5b310f07-xxxx-xxxx-xxxx-240e59dce92b] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]

[YYYY-MM-DD]T[HH:MM:SS.SSS]Z ERROR websso[63:tomcat-http--17] [CorId=5b310f07-xxxx-xxxx-xxxx-240e59dce92b] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [<USER>@<DOMAIN>]. Login failed javax.security.auth.login.LoginException: Login failed

Environment

VMware vCenter Server 8.x

Cause

The issue was caused by inconsistent SSL certificate trust across Active Directory domain controllers used for LDAPS authentication.

Resolution

Follow below action plan to address the issue -

  1. Reissue and LDAPS certificates on affected domain controllers.
    Refer Broadcom KB - 316596
  2. Ensure all domain controllers:
    • Use the same certificate template.
    • Present a complete certificate chain.
    • Are signed by the same trusted CA authority.
  3. Validate LDAPS connectivity and certificate trust from vCenter for all domain controllers - openssl s_client -connect <DC_FQDN>:636 -showcerts
  4. Restart vCenter services post-remediation to clear cached connection and trust state - service-control --stop --all && service-control --start --all
Powered by Wolken Software