You log in to a vCenter Server component from the vSphere Web Client. You use your Active Directory user name and password. Authentication fails.

You add an Active Directory identity source to vCenter Single Sign-On, but users cannot log in to vCenter Server.

Users use their user name and password to log in to the default domain. For all other domains, users must include the domain name (user@domain or DOMAIN\user).

If you are using the vCenter Server Appliance, other problems might exist.

For all vCenter Single Sign-On deployments, you can change the default identity source. After that change, users can log in to the default identity source with username and password only.

To configure your Integrated Windows Authentication identity source with a child domain within your Active Directory forest, see VMware Knowledge Base article 2070433. By default, Integrated Windows Authentication uses the root domain of your Active Directory forest.

If you are using the vCenter Server Appliance, and changing the default identity source does not resolve the issue, perform the following additional troubleshooting steps.

1

Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.

2

Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service and that the PTR record information matches the DNS name of the controller. When using the vCenter Server Appliance, you can run the following commands to perform the task:

a

To list the domain controllers run the following command:

# dig SRV _ldap._tcp.my-ad.com

The relevant addresses are in the answer section, as in the following example:

;; ANSWER SECTION:
_ldap._tcp.my-ad.com. (...) my-controller.my-ad.com
...

b

For each domain controller, verify forward and reverse resolution by running the following command:

# dig my-controller.my-ad.com

The relevant addresses are in the answer section, as in the following example:

;; ANSWER SECTION:
my-controller.my-ad.com (...) IN A controller IP address
...

# dig -x <controller IP address>

The relevant addresses are in the answer section, as in the following example:

;; ANSWER SECTION:
IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com
...

3

If that does not resolve the problem, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain. See the vCenter Server Appliance Configuration documentation.

4

Close all browser sessions connected to the vCenter Server Appliance and restart all services.

/bin/service-control --restart --all