Unable to login to vCenter using Active directory user credential.

vCenter is joined to AD domain and identity source is configured as Integrated windows authentication but still unable to login to vCenter. You may see “access denied” in vSphere flash OR UI client.

You may see following lines in websso.log (var/log/vmware/sso/).

[2019-06-18T21:14:41.278Z tomcat-http--9 vsphere.local        2a51ab88-55aa-4194-9d63-ec5acbac4c27 INFO  auditlogger] {"user":"ADdomain\\ADUser","client":"","timestamp":"06/18/2019 21:14:41 UTC","description":"User aduser@addomain.local failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
[2019-06-18T21:14:50.296Z tomcat-http--16 vsphere.local        e5a24519-8856-482f-a45a-9e4eb8d6eb8c ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [aduser@addomain.local] for tenant [vsphere.local] com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 851968][null][null]
at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.AuthenticateByPassword(LinuxIdmNativeAdapter.java:188) ~[vmware-identity-platform-7.0.0.jar:?]
at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.authenticate(ActiveDirectoryProvider.java:289) ~[vmware-identity-idm-server-7.0.0.jar:?]

When you create vCenter with IP address then you may see host name as photon-machine. However if the computer account in AD have duplicate/missing OR DNS record is missing then you see above error.

root@photon-machine [ /opt/likewise/bin ]# ./domainjoin-cli query
Name = photon-machine
Domain = ADDomain.local
Distinguished Name = CN=PHOTON-MACHINE,OU=Servers,DC=ADdomain,DC=local


If you have multiple computer a/c in AD with same name then follow below procedure.

# /opt/likewise/bin/domainjoin-cli leave

Reboot vCenter (using VAMI page).
Delete both computer a/c’s from Active directory.
Join vCenter into AD.

# /opt/likewise/bin/domainjoin-cli join addomain.local administrator@addomain.local

Reboot vCenter (using VAMI page).
Login using AD a/c.


If you then DNS record is missing for vCenter host name (as per above example it’s photon-machine) then create forward/reverse record in DNS server.