Users are unable to log in to VMware Cloud Foundation (VCF) environments using Active Directory (AD) accounts. Attempting to update the LDAPS service account to a temporary account via the SDDC Manager UI results in the following error message:

"Failed to create/update embedded identity source. Identity Provider internal server error"

Investigation of /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log on the SDDC Manager verifies that the system continues attempting to authenticate using the old service account despite a new account being specified in the UI.

VMware Cloud Foundation (VCF) 9.0
VMware Cloud Foundation (VCF) 5.2
SDDC Manager
vCenter Server

The initial login failure is caused by the configured LDAPS service account being locked out in Active Directory, preventing vCenter from querying the LDAPS server. The subsequent failure to update the service account is due to a known issue where vCenter and SDDC Manager fail to update the embedded identity source and continue to reference the old, locked-out account.

Removing and recreating the identity source bypasses the update failure and clears the cached reference to the locked-out account, applying the new service account credentials and restoring AD authentication capabilities.

1. Take offline snapshots of vCenter Server and SDDC Manager.

2. Remove the existing identity source via the UI.

3. Configure a new identity source using the temporary AD account with a minimum of read-only permissions.

4. Verify AD login functionality is restored.

Note: Using Identity Broker (IDB) in VCF 9.0 avoids this issue in the future as the underlying update failure has been resolved in that architecture.