I have followed the directions for joining VCSA 6 to AD to a "T", and noticed a couple strange things:
A server error occurred.
 An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: null.
Check the vSphere Web Client server logs for details.
One other thing: the /etc/krb5.conf file contains valid information for the domain I am trying to join and the time on the VCSA is accurate
I downloaded the log file bundle and found this:
2015-03-23T15:43:58.065145+00:00 vcsa-101 netlogond: 0x7f636a761700: Failed ldap search on 172.20.0.10 error=40290
That is the correct DC and it is pingable from the VCSA, and there is no firewall/Windows Firewall issue
Rebooted the VCSA twice and now I can log-in!
I did one thing, but made no changes other than a last reboot. Here's what I did:
I ran the following commands:
hostname and hostname -s both echoed the shortname of my VCSA
cat /etc/hosts showed a correctly formatted hosts file with: IP FQDN shortname
/opt/vmware/share/vami/vami_config_net Option 3 showed a correct hostname
I don't know that there is an answer, but the issue is resolved.
Hi, I'm getting the same issue exactly. What are the directions you followed i haven't found any?
The steps i've done:
* join the machine to AD (successful - appears in proper OU in AD)
* Admin/SSO/Config Added identity source (use machine account)
* Admin/SSO/Users+Groups/Groups/ click + to add user to specified group, select my AD domain name from list "cannot load the users for the selected domain"
Tried logging in with windows authentication got your error. Not that I expected it to work without adding anyone to a group.
Did you do anything else? Were you able to load users?
Fixed my problem. For others out there using windows PKI, vmware does not support dhe-rsa which is the default since 2008r2 in windows pki. change your capolicy.inf to alternatesignatures=0 (to force v1 or 1.5 i forget PKCS #1 format). Then reissue all your CA certs, go to each domain controller and renew each certificate. URGH!! VMWARE!!! Its 2015!!! Why still you only support rsa and not dhe-rsa?
In my case that was an issue related to the date / time.
The SSO service was not starting and make 400 / 503 errors on the web interfaces.(vcenter 503 Service Unavailable (Failed to connect to endpoint)... and  An error occurred while processing the authentication response from the vCenter Single Sign-On server)
I had to correct the time zone int the admin interface (https on port 5480) and reboot.