Active Directory (AD) users are unable to log into the VMware Identity Manager (vIDM)

The following symptoms are observed:

• Your username or password is incorrect displayed in web UI when login.
• multi-domain environment.
• 'This Directory has a Global Catalog' is selected during Add Directory.
• 'Directory Search Attribute' is configured as 'SAMAccountName'.
• workspace.log shows:
  INFO : com.vmware.horizon.directory.ldap.LdapConnector - Query Completed for SearchDN - SearchFilter - (&(objectCategory=person)(sAMAccountName=<user name>))
INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - User <user name>@xxx.xxx not found under base DN - FAILURE

 VMware Identity Manager 3.3.7

The issue occurs because the Directory is configured to use the Global Catalog while the Directory Search Attribute is set to sAMAccountName which is not recommended.

(Hint: It is advisable to use UPN as SearchAttribute.)

When utilizing the Global Catalog for multi-domain forest searches, the system requires a unique identifier that spans the entire forest. Using sAMAccountName in this context frequently results in search failures. 

To resolve this, you must reconfigure the directory to use userPrincipalName (UPN) as the search attribute.

1. Log into the VMware Identity Manager admin interface
2. Navigate to Identity & Access Management > Directories.
3. Select the affected Active Directory and Delete the directory configuration.
4. Add the directory again with the following settings:
   Ensure Global Catalog is enabled.
   Set the Directory Search Attribute to userPrincipalName.
5. Once the directory is re-added, initiate a Sync to update the user database.
6. Verify the fix by attempting a user login.