Unable to query ADFS users and a vCenter Single Sign-On Service Error while Accessing Users and Groups.
Article ID: 435091
Updated On:
Products
Issue/Introduction
vCenter Server (VC) displays "A vCenter Single Sign-On Service error occurred" when accessing the Users and Groups UI when the ADFS domain is selected.
Consequently, administrators are unable to query, search, or enumerate user and group objects from the Active Directory domain within the vSphere Client interface.
However, existing user logins to the vCenter Server continue to authenticate and function successfully.
Environment
vCenter Server 8.0U3h
Cause
Authentication traffic is redirected to the ADFS OpenID Connect (OIDC) endpoint, allowing users to successfully log in even when the vCenter identity database cannot query the directory.
However, the vSphere Client UI relies exclusively on the configured LDAP bind parameters (Base DN, Username, Password) specified during the ADFS federation setup to populate the Users and Groups tab.
When this specific bind account becomes locked, the LDAP query fails, triggering the SSO service error.
Evidence of the locked account is present in the provided screenshot, which indicates the "Unlock account" option is grayed out.
The account is currently locked out on the following Active Directory Domain Controller.
Resolution
Access the Active Directory environment and unlock the specific service account utilized for the LDAP bind within the vCenter ADFS configuration.
If the service account password requires a reset, update the credentials within vCenter.
Navigate to Administration > Single Sign-On > Configuration > Identity Provider.
Edit the ADFS Identity Provider configuration.
Update the password in the Users and Groups panel for the Active Directory over LDAP connection.
Re-navigate to Users and Groups to confirm directory enumeration is restored.
Feedback
