Choosing the AD domain to list the domain users from SSO Users & Groups fails with the error “Error while extracting local SSO users” in vCenter Server 6.X

Today I managed to face a interesting issue in the customer’s environment. Where customer has joined the appliance as a member of AD domain. Identity source has been further added as integrated windows authentication.


When navigating to Users and Groups under SSO configuration and selecting the domain(ritesh.local in this situation) we ended up with an error “”Error while extracting local SSO users”. None of the domain users were being listed.




Appliance was perfectly joined to domain but yet we were encountering above mentioned error message.

Customer was having multiple domain controllers configured in the environment.


Vsphere-client virgo logs displayed below set of error message.

Path: /var/log/vmware/vsphere-client/logs


 [INFO ] http-bio-9090-exec-9         70000134 100002 200002 org.springframework.flex.servlet.MessageBrokerHandlerAdapter      Channel endpoint ds-core

-amf received request.

[ERROR] data-service-pool-356        70000134 100002 200002 c.v.vsphere.client.sso.admin.impl.PrincipalManagementServiceImpl  PrincipalManagementServi

ceImpl.findUsers com.vmware.vim.binding.sso.fault.InternalFault: Idm client exception: Failed to establish server connection

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingCo


IDMD logs were displaying below set of error message.

Path: /var/log/vmware/sso


vsphere.local        ab63da3a-b981-4756-9273-b478e186e84c WARN ] [ServerUtils] cannot bind connection: [ldap://ad1.ritesh.local null]

vsphere.local        ab63da3a-b981-4756-9273-b478e186e84c WARN ] [ServerUtils] cannot bind connection: [ldap://ad2.ritesh.local, null]

vsphere.local        27120fa0-e90b-409a-925b-e26a45ba7e53 WARN ] [ServerUtils] cannot bind connection: [ldap:/ad1.ritesh.local, null]

vsphere.local        27120fa0-e90b-409a-925b-e26a45ba7e53 WARN ] [ServerUtils] cannot bind connection: [ldap://ad4.ritesh.local, null]


We verified by pinging handful of domain controllers from the appliance to cross-check if it is reachable and we would receive valid response.

Performed a nslookup on the domain controllers one by one. Forward lookup zone was resolving properly but when performing the reverse look up we were not fetching the expected results.


For eg:

Nslookup ad01.ritesh.local

Would provide expected result stating

But querying nslookup

Was responding with a different fqdn for eg :ad01.vsphere.ritesh.local


This was a catch as binding generally fails when reverse lookup zone for DC are not properly configured in DNS or the underlying pointer(PTR) record does not exist.

To isolate this issue we edited the host file residing under /etc/hosts with IP address and the corresponding domain controller FQDN. Once saved it worked like a charm


Informed the customer to get in touch with his internal DNS team to rectify the PTR record for the DC accordingly.

Hope this article was helpful. Watch out for more.




Ritesh Shenoy
Hey, My name is Ritesh Shenoy working a Tech Support Engineer for VMware. Had an idea on blogging tasks faced on my daily basis which would ideally help other on their daily lives.

Leave a Response