Symptoms:
When using the Active Directory (Integrated Windows Authentication) identity source from the vCenter Single Sign-On 5.5 (SSO), Platform Services Controller 6.0 (PSC), or vRealize Automation Identity Appliance, you experience these symptoms:
- Attempting to browse and add users to the vCenter Server permissions (Local Permission: Hosts and Clusters > vCenter > Manage > Permissions, Global Permissions: Administration > Global Permissions) fails with one of below errors:
Cannot load the users for the selected domain.
OR
Error while extracting local SSO users
- Attempting to browse users from your Active Directory Domain under the Users tab (Administration > Users and Groups) in the vCenter Server fails with the error:
com.vmware.identity.idm.IDMException: Failed to establish server connection.
- Attempting to browse and add users to the vRealize Automation Center permissions fails with the error:
System Exception.
- In the /var/log/vmware/sso/vmware-sts-idmd.log file on the vCenter Single Sign-On or Platform Services Controller, you see entries similar to:
[YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f WARN ] [ServerUtils] cannot bind connection: [ldap://<Active Directory Domain Controller FQDN>, null]</time>
[YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f ERROR] [ServerUtils] cannot establish connection with uri: [ldap://<Active Directory Domain Controller FQDN>]</time>
[YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f INFO ] [ActiveDirectoryProvider] removeDcInfo - domain [<Active Directory Domain Name>], domainFQDN [<Active Directory Domain Controller FQDN>], domainIpAddress [<Active Directory Domain Controller IP]</font></time>
[YYYY-MM-DDT<time>Z vsphere.local 3572c5f8-e776-4049-8487-d94f68634a2f ERROR] [ActiveDirectoryProvider] Failed to get non-GC connection to domain <Active Directory Domain> - domain controller might be offline</time>
com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 40287][LW_ERROR_LDAP_LOCAL_ERROR][]
at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.LdapSaslBind(LinuxIdmNativeAdapter.java:345)
at com.vmware.identity.interop.ldap.LinuxLdapClientLibrary.ldap_sasl_bind_s(LinuxLdapClientLibrary.java:676)
at com.vmware.identity.interop.ldap.LdapConnection.bindSaslConnection(LdapConnection.java:158)
at com.vmware.identity.idm.server.ServerUtils.getLdapConnection(ServerUtils.java:297)
at com.vmware.identity.idm.server.ServerUtils.getLdapConnectionByURIs(ServerUtils.java:215)
...
[YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 WARN ] [ServerUtils] cannot bind connection: [ldap://<Active Directory Domain Controller FQDN>, null]
[YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [ServerUtils] cannot establish connection with uri: [ldap://<Active Directory Domain Controller FQDN>]
[YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [ActiveDirectoryProvider] Failed to get non-GC connection to domain <Active Directory Domain Name> in retry
com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 40287][LW_ERROR_LDAP_LOCAL_ERROR][]
YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [IdentityManager] Failed to find person users [Criteria : searchString=, domain=markit.partners] in tenant [vsphere.local]
[YYYY-MM-DDT<time>Z</time> vsphere.local b77dc08e-9d6b-4386-af56-eee92feae7c6 ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed to establish server connection'
com.vmware.identity.idm.IDMException: Failed to establish server connection
...
Caused by: com.vmware.identity.idm.IDMException: Failed to get non-GC connection to domain <Active Directory Domain Name> in retry
[YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 WARN ] [ServerUtils] cannot bind connection: [ldap://</time><Active Directory Domain Controller FQDN>, null]
[YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 ERROR] [ServerUtils] cannot establish connection with uri: [ldap://</time><Active Directory Domain Controller FQDN>]
[YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 ERROR] [IdentityManager] Failed to find person users [Criteria : searchString=po.tenant, domain=<Active Directory Domain Name>] in tenant [vsphere.local] </time>
[YYYY-MM-DD <time> vsphere.local 9439b581-c839-4765-b8e7-39d3af448747 ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed to establish server connection' </time>
com.vmware.identity.idm.IDMException: Failed to establish server connection
... 22 more
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.