AD authentication stopped working. Local authentication with root credentials or administrator@host.domain.local works fine.
When I try to login to web console with correct credentials (credentials checked on another system) - I get "Invalid credentials" error.
In /var/log/vmware/sso/websso.log I see:
[2018-11-16T08:10:50.120Z tomcat-http--28 6c431785-2cde-4a7e-b363-0a2660562648 ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException
[2018-11-16T08:10:50.121Z tomcat-http--28 6c431785-2cde-4a7e-b363-0a2660562648 ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: [401, Неверное имя пользователя или пароль], message
Tried to exit and join domain with the instruction in After upgrade to 6.5 update 1 broken AD authentication but the problem persist.
AD authentication is chosen as default authentication provider.
Why AD authentication is not working? How to repair it?
So, the problem was trivial.
I noticed in /var/log/messages "Clock skew too great". I checked time with help of "date" command and found that it was incorrect.
After what I discovered that vCenter VM machine sync time from the server on which it is hosted. I disabled time sync in Edit Settings>VM Options>VMWare tools>Time>Synchronize guest time with host
After it I changed time to correct with help of date -s "HH:MM:SS" command
Now server accepts AD credentials.
Keep in mind that clock may be set to UNC (Greenwich Mean Time), not your local time zone.
VCSA FQDN is resolving successfully?What is your Domain Functional Level?
vCenter 6.5 doesn't support Windows Server 2016 VMware Knowledge Base
Domain and forest functional levels are both 2008 R2
Actually authentication worked fine until past Friday. Then - without any reason it stopped working.
VCSA FQDN is resolving successfully by DNS. But we have an alias. Both srv-vc02 and srv-vc04 are resolving to the same IP, but srv-vc02 is A record and srv-vc04 is alias.
May be there is another log I can check?
So, the problem was trivial.
I noticed in /var/log/messages "Clock skew too great". I checked time with help of "date" command and found that it was incorrect.
After what I discovered that vCenter VM machine sync time from the server on which it is hosted. I disabled time sync in Edit Settings>VM Options>VMWare tools>Time>Synchronize guest time with host
After it I changed time to correct with help of date -s "HH:MM:SS" command
Now server accepts AD credentials.
Keep in mind that clock may be set to UNC (Greenwich Mean Time), not your local time zone.