I need the lightbulb emoticon! So after almost 20 years in IT I should know that when things break after changing a password I should be suspicious of where those creds might be hidden.
So if I logon to the web client as the SSO admin admin@System-Domain and go to Administration > SSO > Configuration and click edit the AD Identity source, my elevated domain account which I changed my password this morning is in that dialog. I was told by vmware tech support on a ticket last month that those credentials were only used on the first connection to ldap.. how wrong he was. It looks like I need to use an account who's password does not change every 90 days! Putting my new password into that field makes vcenter work just fine with domain accounts!! I don't think rejoining the domain would make any difference.
SSO does indeed play a part in client connectivity.
Ron