• VMware HCX migration jobs fail during the authentication phase when connecting to the vCenter Server. Although correct credentials are used, migration manager reports a login failure.
• vCenter is configured with integrated Windows Authentication (IWA) as identity source.
• Below error is observed in HCX log /common/logs/admin/app.log:
  
  ERROR c.v.v.h.a.vcenter.VcConnection- Error Logging onto VCenter... User:[email protected], message: Cannot complete login due to an incorrect user name or password.


• vCenter log /var/log/vmware/sso/vmware-identity-sts.log shows username and password error:
  
  [USER_NAME_PWD_AUTH_FAILED]
  
  
• vCenter log /var/log/vmware/sso/vmware-identity-sts.log indicating failure to bind to domain controller:
  
  error code: -5 reason [Timed out]
  
  
• vCenter log /var/log/vmware/syslog shows Kerberos/GSS-API errors:
  
  GSS-API error calling gss_init_sec_context: 40157.

VMware HCX 4.x
VMware vCenter Server 8.x

The issue is caused by a communication failure between the vCenter Single Sign-On (SSO) service and the Active Directory domain controller. Even though the user is local to vSphere, the vCenter configured with Integrated Windows Authentication (IWA) attempts to validate identity provider metadata or Kerberos contexts via LDAP.

Since Integrated Windows Authentication (IWA) is deprecated and relies on a sensitive Kerberos configuration, the following steps are required to resolve the issue and align with VMware best practices:

1. Migrate to AD over LDAP/LDAPS: Transition the identity source configuration from IWA to Active Directory over LDAP or Active Directory over LDAPS. This modern authentication method does not require Kerberos for the vCenter-to-DC connection, effectively bypassing GSS-API errors and secure channel instability.
2. Follow Migration Procedures: Execute the migration from IWA to AD over LDAP by following the detailed steps in Considerations when migrating a vCenter Identity Source from Integrated Windows Authentication to AD over LDAP / OpenLDAP
3. Decommission IWA: Once the new LDAP identity source is verified, remove the deprecated IWA configuration. This ensures that the vCenter identity manager no longer attempts to use failing Kerberos contexts. For more details on IWA deprecation, refer to Removal of Integrated Windows Authentication (IWA)