Environment
vCenter Server (VMCA certificates, embedded PSC)
Issue
We experienced persistent authentication-related issues in vCenter:
-
VM creation failed with:
A general system error occurred: PBM error occurred during PreCreateCheckCallback
pbm.fault.InvalidLogin
-
Logs showed:
AcquireToken exception: InvalidCredentials
vim.fault.InvalidLogin
-
Storage Policy Service (SPS) errors:
Login to PBM failed
-
Additionally, after some time:
https://<vcenter>/lookupservice/sdk became inaccessible
Behavior
-
Restarting services (vmware-vpxd, vmware-sps) temporarily resolved the issue
-
However, the problem reappeared after a few hours
Troubleshooting Steps
-
Identified NTP synchronization issues initially
-
Verified certificates (no expiration issues)
-
Ran LSDoctor → no issues detected
-
Restarted services → only temporary improvement
Root Cause
After fixing NTP, the issue persisted.
Using vCert, we identified:
com.vmware.vsan.health (Machine SSL) → MISMATCH
This indicated that the vsan-health extension was registered with an incorrect certificate thumbprint.
Even though vSAN was not actively used, this service is still part of the vCenter internal trust chain.
Resolution
We resolved the issue by:
-
Fixing NTP synchronization (critical first step)
-
Running vCert:
Option 6 – Reset all certificates with VMCA-signed certificates
-
Regenerating Machine SSL and Solution User certificates
-
Updating extension thumbprints
-
Restarting all VMware services
-
Not replacing STS signing certificate (not required)
Result
After the fix:
com.vmware.vsan.health → MATCHES
-
PBM errors disappeared
-
SPS login failures stopped
-
Lookup service remained stable
-
No recurrence after several hours
Key Takeaway
This issue was caused by a combination of NTP drift and certificate trust mismatch:
Recommendation
If you see:
Check BOTH:
-
NTP synchronization
-
Extension certificate thumbprints (especially vsan.health)
-------------------------------------------