vCenter Server Appliance (VCSA) drops connection to Active Directory and fails to rejoin.

GUI domain join attempts generate the following error: Idm client exception: Error trying to join AD, error code [31], user [<REDACTED_USER>], domain [<REDACTED_DOMAIN>], orgUnit []

CLI domain join attempts via domainjoin-cli generate the following error: Error: ERROR_GEN_FAILURE [code 0x0000001f]

Users are unable to log into the vCenter Server. CLI join attempts may exhibit symptoms of incorrect passwords despite utilizing verified Active Directory credentials

vCenter Server Appliance 8.0.x

The environment is attempting to utilize Integrated Windows Authentication (IWA) for identity management. IWA is deprecated in vSphere. Its underlying service dependencies (Likewise I/O) are susceptible to compatibility issues with modern Active Directory security postures, which prevents the VCSA from successfully completing the RPC/SMB negotiation required to establish a machine trust account

1. Abandon the deprecated Integrated Windows Authentication (IWA) methodology.

2. Do not attempt to join the VCSA operating system to the Active Directory domain using the GUI or domainjoin-cli.

3. Configure Active Directory as an Identity Source using LDAPS (Lightweight Directory Access Protocol over SSL) within the vCenter Single Sign-On (SSO) configuration to restore user authentication

For instructions on configuring LDAPS, refer to the vSphere Authentication official documentation regarding Active Directory over LDAP Identity Source configuration.

KB https://knowledge.broadcom.com/external/article?legacyId=2041378