When attempting to change the Bind User in the directory configuration wizard, the new Active Directory bind account becomes locked out. The "Test Connection" button succeeds, but saving the configuration triggers multiple authentication failures.

VMware Identity Manager 3.3.7

When you change the Bind User in the directory configuration wizard and click through to Step 3, the connector internally re-validates the credentials. At this point, the UI sends the password field as a masked placeholder rather than the actual password. The placeholder-replacement logic then substitutes the current saved (old) bind user's password with the new bind DN, creating a mismatch.

This mismatch is sent to Active Directory multiple times (once per retry, per connector node), which exhausts the Active Directory lockout threshold and locks out the new bind account. The "Test Connection" button works because it uses the real password directly from the form and is unaffected by this substitution.

To change the Bind User without causing lockouts, perform the following steps during a maintenance window. Ensure you have the Active Directory credentials for both the current and new bind users available.

1. Update domain_krb.properties on all connector nodes You must first correct the domain_krb.properties file if it contains decommissioned Domain Controllers. On each of the three nodes, log in as root and open the file: vi /usr/local/horizon/conf/domain_krb.properties Replace the existing domain line with only your current active DCs. Save the file, but do not restart the service yet.

2. Temporarily set both bind accounts to the same password Before making any changes in VMware Identity Manager, go to Active Directory and set the new bind account's password to match the current bind account's password. This ensures that even if the system substitutes the old password during validation, the authentication will succeed.

3. Change the Bind User in the UI Log in to the connector admin UI and navigate to Directory > Edit. Change the Bind DN to the new account and enter the shared password in the password field. Click Test Connection (this must succeed), and then click Save / Next through all remaining steps.

4. Restore the new bind account's password in Active Directory In Active Directory, change the new bind account's password to its intended final password.

5. Update the password in the UI In the connector admin UI, return to Directory > Edit. Keep the same Bind DN, but update the password field to the new final password. Click Test Connection, then Save. This second update changes only the password, bypassing the placeholder substitution issue.

6. Verify the configuration Confirm the directory sync completes without errors, check that no Active Directory account lockouts occurred, and test user login.