After successfully enabling Active Directory domain authentication from the Authentication tab on the Web Console, you cannot log in to vCenter by using an Active Directory domain user.

VMware vCenter Server Appliance 5.1.x
VMware vCenter Server 5.1.x

Verify that Single Sign-On autodiscovered the Active Directory domain

1. Log in to the vSphere Web Client as the Single Sign-On administrator.
2. From Administration, select Sign-on and Discovery, then click Configuration.
3. On the Identity Sources tab, search for your Active Directory domain in the list.

If Single Sign-On discovered the Active Directory domain without the need to manually add it, the Active Directory domain appears in the list.

If the Active Directory domain is not present in the list

If the Active Directory domain does not appear in the list, it was probably not autodiscovered by Single Sign-On. Perform these steps to correct the issue:

1. Open /var/log/vmware/vpx/sso_cfg.log and verify that you see lines in the log that include the Active Directory domain, DNS Name, NetBIOS name, the primary controller and, if one exists, the secondary controller.
2. Note the names of the controllers.
3. Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.
   For best results, use a central NTP server and automatic synchronization.
4. Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service, and that the PTR record information matches the DNS name of the controller.
   One way to do this is through the command line on the vCenter Server Appliance.
   
   # dig dc.domain.com
   ...
   ;; ANSWER SECTION:
   dc.domain.com (...) IN A <controller IP address>
   ...
   # dig -x <controller IP address>
   ...
   ;; ANSWER SECTION:
   <IP-in-reverse>.in-addr.arpa. (...) IN PTR
   dc.domain.com
   ...
5. If the controller LDAP services are SSL-enabled, verify that the SSL certificate is valid.
6. If steps 1 to 5 did not resolve the issue, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain.
7. After steps 1 to 6 are complete, restart Single Sign-On.

If this procedure does not correct the problem, use the user name and password to add the domain manually from the Identity Sources tab in the vSphere Web Client. You can add the domain, but this will not allow you to use Windows session authentication from the vSphere Web Client.

If the domain is present in the Identity sources list, you have two log in options.

• Use the qualified name. For example, log in with user@domain or DOMAIN\user.
• If your organization requires you to authenticate with an unqualified name, add the domain to the list of default domains. For more information, see Manage Default Domains for vCenter Single Sign On in the VMware vSphere 5.1 Security Guide.

Active Directory users might have a custom suffix in their UPN instead of using the domain name as the suffix. For example, the user name [email protected] can be customized to be [email protected]. Active Directory users with these custom suffixes cannot log in to the vSphere Web Client using Windows session credentials when vCenter Single Sign-On is installed on a Windows system.

Additional Information

For translated versions of this article, see:

• 日本語: vCenter Server Appliance による Single Sign-On および Active Directory ドメイン認証のトラブルシューティング (2096631)
• 简体中文: 使用 vCenter Server Appliance 对 Single Sign-On 和 Active Directory 域身份验证问题进行故障排除 (2101297)

Configuring vCenter Single Sign-On with Active Directory Authentication (VMware Docs)