You log in to a vCenter Server component from the vSphere Web Client. You use your Active Directory user name and password. Authentication fails.
Problem
You add an Active Directory identity source to vCenter Single Sign-On, but users cannot log in to vCenter Server.
Cause
Users use their user name and password to log in to the default domain. For all other domains, users must include the domain name (user@domain or DOMAIN\user).
If you are using the vCenter Server Appliance, other problems might exist.
Solution
For all vCenter Single Sign-On deployments, you can change the default identity source. After that change, users can log in to the default identity source with user name and password only.
To configure your Integrated Windows Authentication identity source with a child domain within your Active Directory forest, see VMware Knowledge Base article 2070433. By default, Integrated Windows Authentication uses the root domain of your Active Directory forest.
- Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.
-
Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service.
Verify that the PTR record information for the domain controller matches the DNS name of the controller. When using the vCenter Server Appliance, run the following commands to perform the task:- To list the domain controllers, run the following command:
# dig SRV _ldap._tcp.my-ad.com
The relevant addresses are in the answer section, as in the following example:;; ANSWER SECTION: _ldap._tcp.my-ad.com. (...) my-controller.my-ad.com ...
- For each domain controller, verify forward and reverse resolution by running the following command:
# dig my-controller.my-ad.com
The relevant addresses are in the answer section, as in the following example:;; ANSWER SECTION: my-controller.my-ad.com (...) IN A controller IP address ...
# dig -x <controller IP address>
The relevant addresses are in the answer section, as in the following example:;; ANSWER SECTION: IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com ...
- To list the domain controllers, run the following command:
- If that does not resolve the problem, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain. See the vCenter Server Appliance Configuration documentation.
- Close all browser sessions connected to the vCenter Server Appliance and restart all services.
/bin/service-control --stop --all /bin/service-control --start --all