Search the VMware Knowledge Base (KB)
View by Article ID

Troubleshooting Single Sign-On and Active Directory domain authentication with the vCenter Server Appliance (2033742)

  • 56 Ratings


After successfully enabling Active Directory domain authentication from the Authentication tab on the Web Console, you cannot log in to vCenter by using an Active Directory domain user.


Verify that Single Sign-On autodiscovered the Active Directory domain

  1. Log in to the vSphere Web Client as the Single Sign-On administrator.
  2. From Administration, select Sign-on and Discovery, then click Configuration.
  3. On the Identity Sources tab, search for your Active Directory domain in the list.
If Single Sign-On discovered the Active Directory domain without the need to manually add it, the Active Directory domain appears in the list.

If the Active Directory domain is not present in the list

If the Active Directory domain does not appear in the list, it was probably not autodiscovered by Single Sign-On. Perform these steps to correct the issue:

  1. Open /var/log/vmware/vpx/sso_cfg.log and verify that you see lines in the log that include the Active Directory domain, DNS Name, NetBIOS name, the primary controller and, if one exists, the secondary controller.
  2. Note the names of the controllers.
  3. Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain controllers.
    For best results, use a central NTP server and automatic synchronization.
  4. Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS service, and that the PTR record information matches the DNS name of the controller.
    One way to do this is through the command line on the vCenter Server Appliance.

    # dig
    ;; ANSWER SECTION: (...) IN A <controller IP address>
    # dig -x <controller IP address>
    <IP-in-reverse> (...) IN PTR

  5. If the controller LDAP services are SSL-enabled, verify that the SSL certificate is valid.
  6. If steps 1 to 5 did not resolve the issue, remove the vCenter Server Appliance from the Active Directory domain and then rejoin the domain.
  7. After steps 1 to 6 are complete, restart Single Sign-On.

If this procedure does not correct the problem, use the user name and password to add the domain manually from the Identity Sources tab in the vSphere Web Client. You can add the domain, but this will not allow you to use Windows session authentication from the vSphere Web Client.

If the domain is present in the Identity sources list, you have two log in options.

  • Use the qualified name. For example, log in with user@domain or DOMAIN\user.
  • If your organization requires you to authenticate with an unqualified name, add the domain to the list of default domains. For more information, see Manage Default Domains for vCenter Single Sign On in the VMware vSphere 5.1 Security Guide.
Active Directory users might have a custom suffix in their UPN instead of using the domain name as the suffix. For example, the user name can be customized to be Active Directory users with these custom suffixes cannot log in to the vSphere Web Client using Windows session credentials when vCenter Single Sign-On is installed on a Windows system.

Additional Information

For translated versions of this article, see:


troubleshooting, Single Sign On and Active Directory, vCenter Server Appliance login

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 56 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 56 Ratings