Strange issue: We are unable to log into the VCSA using domain accts from one child domain, but can from another child domain. Here is what we have component/information wise:
- VCSA 6.7 U3F (embedded PSC)
- ESXi 6.7 (latest patches)
- Multi Domain Forest. VCSA nodes will are part of Domain "A"
- DNS forward/reverse records created
- NTP servers are the same device (no time skew) between site DCs and VCSA nodes
- Identity source configured to Integrated Windows Auth - set with Domain "A" but of course resolves to the Forest Domain/Alias - Trusts are all in place and working
- Smart Card access configured / Username and PW still enabled until complete
- Accounts/permissions are correctly added to vCenter
- Have a Production VCSA 6.5 environment (External PSC) in Domain "A" that is having no issues with logon
- Domain "A" functional level is 2012r2, Domain "B" functional level is 2012r2
When attempting to login the vCenter, using accounts from Domain "A", we receiving the following error/s:
- When using username/password we receive "Invalid Credentials"
- When attempting to log in using Smart Card, we receive "  An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: urn:oasis:names:tc:SAML:2.0:status:Null"
When attempting to log in, using above parameters, with domain accounts from Domain "B" we have no issues at all. Domain "B" accounts log in correctly.
As mentioned above, the Domain Trusts are all in place and working as this is a production environment. We currently have a VCSA 6.5 U3 environment running in the same configuration (except for the External PSC piece), and can log on with accounts from Domain "A", Domain "B", or any of the other domains in the forest. Looking in the websso.log file, I can see errors about Native Platform No EPIPE, and some other errors related to dead DNS records for off site DCs that have been Decom'd. Running packet traces I can confirm that it is talking to the closest DCs (our site), I see SMB2 traffic, but I noticed that for the Domain "A" NBNS queries, those packets are showing Workstation/Redirector. When logging in with Domain "B" accounts, those same NBNS queries are resolving the names of all the site DCs and show as Domain Controller in the packet. I have confirmed that DNS (forward/reverse) is working from the VCSA and can ping/resolve site DCs in Domain "A". We have confirmed NTP, we have removed the nodes from the domain and rejoined (both GUI and CLI). Once logged into the VCSA (using local OS or Domain "B" accounts), we see all the trusted domains and can add accounts from all the trusted domains, to include Domain "A", to SSO groups.
We have a ticket open with VMware, but I can not supply logs from this network. Has anyone run into an issues like this? We have tried/verified all the VMware KB "can't log in with Active directory accounts" articles, but still unable to log in with accounts from the one child domain - Domain "A"
Thoughts, help, crazy ideas?