If vCenter Single Sign-On does not autodiscover the Active Domain directory, you cannot log in to vCenter.

After enabling Active Directory domain authentication from the Authentication tab on the Web Console, you cannot log in to vCenter by using an Active Directory domain user.

The Active Directory domain was not autodiscovered by vCenter Single Sign-On. If Single Sign-On autodiscovered the Active Directory domain, the Active Directory domain appears in the Identity Sources list.

If the domain is present in the Identity sources list, log in using the qualified name. For example, log in with user@domain or DOMAIN\user. If your organization requires you to authenticate with an unqualified name, add the domain to the list of default domains.


Open /var/log/vmware/vpx/sso_cfg.log.


Verify that you see lines that include the Active Directory domain, DNS Name, NetBIOS name, the primary controller and, if one exists, the secondary controller.

You need to know the names of the controllers for a later step.


Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.


Enter the following code at a command line to verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service and that the PTR record information matches the DNS name of the controller.

# dig my-controller.my-ad.com
my-controller.my-ad.com (...) IN A controller IP address
# dig -x <controller IP address>
IP-in-reverse.in-addr.arpa. (...) IN PTR

If the controller LDAP services are SSL-enabled, verify that the SSL certificate is valid.


(Optional) If steps 1 through 5 did not resolve the problem, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain.


Restart vCenter Single Sign-On.