• VCF SSO is configured with VMware Identity Broker (VIDB).
• After upgrade to VCF 9.1 VCF SSO can not login.
• The VIDB container in VMSP contains below similar messages:
   
  ERROR accesscontrol 14 [vidb@4413 threadName="threalPoolTaskScheduler-2" logger="com.vmware.vidm.usergroup.service.broker.connector.ActiveDirectoryServiceImpl" scPath="vidb/APPLIANCE"] <AD IP addresses>:389 java.net.SocketTimeoutException: Connect timed out

VCF Operations 9.1

This issue is caused by a change in the outbound communication source IP address following the upgrade, which conflicts with existing firewall security policies.

After upgrading to version 9.1, when the vIDB container initiates LDAP/LDAPS requests to the Active Directory, the source IP address of its outbound traffic changes. Instead of using the previous source address format, it now uses the Node IP of the host where the container is running.

Since the existing firewall policies only allowed the legacy source address to access AD ports (such as TCP 389/636), the connection requests originating from the Node IP are dropped or blocked by the firewall. Consequently, the vIDB container fails to communicate with the AD server, leading to VCF SSO authentication failures.

To restore VCF SSO functionality, the network firewall policies must be updated to accommodate the new source IP:

1. Identify Node IPs: Determine the physical IP addresses (Node IPs) of the hosts running the vIDB/vIDM services.

2. Update Firewall Rules: Contact your network or security administration team to modify the firewall Access Control Lists (ACLs).

3. Allow Traffic: Whitelist the identified Node IPs, allowing them as valid source addresses to access the Active Directory server via the required ports (e.g., TCP 389 for standard LDAP or TCP 636 for LDAPS).

Once the firewall rules are updated and network connectivity is restored, vIDB will be able to successfully communicate with the AD server, and VCF SSO will function normally.