vCenter Single Sign On Server (SSO) - How to change an Identity Source Server URL which is using LDAP over SSL (LDAPS)

I recently had an issue where I was getting the following error when logging into vCenter:

A general system error occurred: Authorize Exception

I turns out, the SSO Identity Source was trying to connect to Domain Controllers which were powered off.  To prevent this from occuring in the future, I wanted to add a physical DC to the config. 

Our infrastructure uses LDAP over SSL (LDAPS) so, it required a few additional steps.

1. First, log into the Domain Controller you would like to use as a Server URL for the Identity Source.   Then launch the mmc and add the Certificates Snap-in.  Select Computer Account and Local Computer.  Export the certificate used for Server Authentication.

A. On the Export Private Key screen, select No, do not export the private key
B.  On the Export File Format screen, select Base-64 encoded X.509 (.CER)

2. Using the WebClient log in using the admin@System-Domain account.  Go to
Sign-On and Discovery --> Configuration.  Right click on the Identity Source and select Edit Identity Source. 

               
3. Enter the appropriate DC info, the select Choose Certificate.   

 

4.  Browse to the newly exported .cer file. 

5. Select Test Connection: 

     6. To confirm that the change has taken affect, open the following file on the SSO server:

 

C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf

 

VMware vCenter - A general system error occurred: Authorize Exception

Last week, one of our datacenters needed maintenance which required all systems to be powered off.  Once the maintenance was completed, we began powering up the storage arrays, SQL servers and the physical Domain Controllers.  The physical vCenter server was then powered on and the vCenter Server Service and SSO services proceeded to start successfully .   However, upon attempting to log into vCenter using my AD account , I received the following error:

Using the web client, ( https://vCenterServer:9443/vsphere-client/) I logged in using the admin@System-Domain account.  I took a look at the Single Sign On (SSO) config and noticed that both Domain Controllers associated with our Active Directory Identity Source were virtual, and neither were powered on.  The error was caused by SSO being unable to connect to one of the Domain Controllers listed in the config.

You can also see which servers are used with the Identity Source by looking at the following file on the SSO server.

C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf  

To resolve the issue,  I disabled Lockdown Mode on the ESXi servers hosting the virtual DCs using the Dell Drac.  I then pointed the vSphere Client directly to the ESXi host to power on the DCs.  After confirming both DCs were up, I restarted the vCenter server.  I was then able to successfully log in using my domain acoount. 

To prevent this from occurring in the future, I added a physical DC as an Identity Source.