Users are unable to access the vCenter Server management interface. Symptoms include:

• The vCenter login page fails to load or hangs.

• Login attempts fail for both Active Directory (AD) domain accounts and the local [email protected] account.

• Error messages may indicate an internal server error or authentication service timeout.

Log Location : /var/log/vmware/sso/ssoAdminServer.log

YYYY-MM-DDT.077Z ERROR ssoAdminServer[104:pool-2-thread-5] [OpId=########-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://example.com:389] because [Invalid credentials] therefore will not attempt to use any secondary URIs
YYYY-MM-DDT.077Z ERROR ssoAdminServer[104:pool-2-thread-5] [OpId=########-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldap://example.com:389 ]; tenantName [vsphere.local], userName [example\user01]'

• VMware vCenter 7.x
• VMware vCenter 8.x
• VMware vCenter 9.x

The Active Directory service account used as the Bind User for the LDAP identity source was disabled. When the service account is disabled, the vCenter SSO service cannot authenticate against the directory. This leads to thread exhaustion or long timeouts within the SSO service, which subsequently blocks local authentication attempts (@vsphere.local) even though those accounts do not reside in AD.

This issue typically occurs when the Single Sign-On (SSO) service becomes unresponsive while attempting to communicate with an unavailable identity source.

To restore access to vCenter, the service account must be re-enabled in Active Directory:

1. Identify the Service Account: Coordinate with your Active Directory/Identity team to identify the account used for the vCenter LDAP integration.

2. Enable the Account: In Active Directory Users and Computers (ADUC), locate the account, right-click it, and select Enable Account.

3. Verify Password Status: Ensure the password has not expired and that the account is not locked.

4. Validate Connectivity: * Once the account is enabled, attempt to log in to vCenter using the local [email protected] account first.

   • If the UI is still unresponsive, you may need to restart the Security Token Service (STS) and VMware Directory Service (vmdir) via the appliance shell:

   service-control --restart vmware-stsd
   service-control --restart vmware-vmdir
   

5. Confirm Domain Login: Once local access is restored, verify that domain users can log in successfully.

To prevent this issue in the future, it is recommended to:

• Use a dedicated service account for LDAP binding rather than an individual's user account.

• Apply an AD policy to the service account so that the password does not expire.

• Exempt service accounts from automated "inactive user" cleanup scripts.