You log in to a vCenter Server component from the vSphere Client or the vSphere Web Client. You use your Active Directory user name and password. Authentication fails.

Problem

You add an Active Directory identity source to vCenter Single Sign-On, but users cannot log in to vCenter Server.

Cause

Users use their user name and password to log in to the default domain. For all other domains, users must include the domain name (user@domain or DOMAIN\user).

If you are using the vCenter Server Appliance, other problems might exist.

Solution

For all vCenter Single Sign-On deployments, you can change the default identity source. After that change, users can log in to the default identity source with user name and password only.

To configure your Integrated Windows Authentication identity source with a child domain within your Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/2070433. By default, Integrated Windows Authentication uses the root domain of your Active Directory forest.

If you are using the vCenter Server Appliance, and changing the default identity source does not resolve the issue, perform the following additional troubleshooting steps.
  1. Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.
  2. Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service.

    Verify that the PTR record information for the domain controller matches the DNS name of the controller. When using the vCenter Server Appliance, run the following commands to perform the task:
    1. To list the domain controllers, run the following command:
      # dig SRV _ldap._tcp.my-ad.com
      The relevant addresses are in the answer section, as in the following example:
      ;; ANSWER SECTION:
      _ldap._tcp.my-ad.com. (...) my-controller.my-ad.com
      ...
    2. For each domain controller, verify forward and reverse resolution by running the following command:
      # dig my-controller.my-ad.com
      The relevant addresses are in the answer section, as in the following example:
      ;; ANSWER SECTION:
      my-controller.my-ad.com (...) IN A controller IP address
      ...
      # dig -x <controller IP address>
      The relevant addresses are in the answer section, as in the following example:
      ;; ANSWER SECTION:
      IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com
      ...
  3. If that does not resolve the problem, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain. See the vCenter Server Appliance Configuration documentation.
  4. Close all browser sessions connected to the vCenter Server Appliance and restart all services.
    /bin/service-control --restart --all