Daniel,

This is the pertinent bit from the idp-process log with the LDAP logging set to trace.  This pattern below is repeated through all of the DC in the pool until it gives up…

11:29:53.067 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:202] - verifyDNS using subjectAltNames = [ad.ucop.edu, domain-controler-dc01, domain-controler-dc01.ucop.edu, domain-controler-dc02, domain-controler-dc02.ucop.edu, domain-controler-dc03, domain-controler-dc03.ucop.edu, domain-controler-dc04, domain-controler-dc04.ucop.edu, domain-controler-dc05, domain-controler-dc05.ucop.edu, domain-controler-dc06, domain-controler-dc06.ucop.edu, domain-controler-dc07, domain-controler-dc07.ucop.edu, domain-controler-dc08, domain-controler-dc08.ucop.edu, domain-controler-dc09]
11:29:53.068 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:210] - verifyDNS found hostname match: domain-controler-dc01
11:29:53.068 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:90] - invoking getAcceptedIssuers invoked for sun.security.ssl.X509TrustManagerImpl@28700e5a
11:29:53.069 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:90] - invoking getAcceptedIssuers invoked for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@4abd124
11:29:53.208 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://domain-controler-dc01:3269
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[na:1.8.0_40]
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[na:1.8.0_40]
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_40]
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_40]
        at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_40]
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[na:1.8.0_40]
        at edu.vt.middleware.ldap.handler.DefaultConnectionHandler.connectInternal(DefaultConnectionHandler.java:134) ~[vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.handler.AbstractConnectionHandler.connect(AbstractConnectionHandler.java:156) ~[vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.auth.handler.BindAuthenticationHandler.authenticate(BindAuthenticationHandler.java:53) [vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:174) [vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74) [vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320) [vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277) [vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60) [vt-ldap-3.3.9.jar:na]
        at edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103) [vt-ldap-3.3.9.jar:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_40]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_40]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_40]
        at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_40]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [na:1.8.0_40]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [na:1.8.0_40]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [na:1.8.0_40]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [na:1.8.0_40]
        at java.security.AccessController.doPrivileged(Native Method) [na:1.8.0_40]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [na:1.8.0_40]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [na:1.8.0_40]
        at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:177) [shibboleth-identityprovider-2.4.4.jar:na]
        at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:123) [shibboleth-identityprovider-2.4.4.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.4.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.4.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at ch.qos.logback.classic.helpers.MDCInsertingServletFilter.doFilter(MDCInsertingServletFilter.java:51) [logback-classic-1.0.11.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at ch.qos.logback.classic.helpers.MDCInsertingServletFilter.doFilter(MDCInsertingServletFilter.java:51) [logback-classic-1.0.11.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.4.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.21]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.21]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) [catalina.jar:8.0.21]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.21]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [catalina.jar:8.0.21]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [catalina.jar:8.0.21]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.21]
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) [catalina.jar:8.0.21]
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:673) [catalina.jar:8.0.21]
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:673) [catalina.jar:8.0.21]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.21]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) [catalina.jar:8.0.21]
        at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:844) [tomcat-coyote.jar:8.0.21]
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) [tomcat-coyote.jar:8.0.21]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1517) [tomcat-coyote.jar:8.0.21]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1474) [tomcat-coyote.jar:8.0.21]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_40]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_40]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.21]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_40]
11:29:53.209 - TRACE [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1} Attempting connection to ldaps://domain-controler-dc02:3269 for strategy ACTIVE_PASSIVE
11:29:53.210 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
11:29:53.210 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   authtype = simple
11:29:53.211 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] -   dn = CN=User Name,OU=Users,dc=ucop,dc=edu
11:29:53.211 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] -   credential = <suppressed>
11:29:53.211 - TRACE [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:87] -   env = {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldaps://domain-controler-dc02:3269, com.sun.jndi.ldap.connect.timeout=1000, java.naming.security.protocol=ssl}
11:29:53.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:128] - Set hostname verifier for ldaps
11:29:53.245 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@7d529869
11:29:53.248 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@477600d6
11:29:53.248 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:127] - Verify with the following parameters:
11:29:53.248 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:128] -   hostname = domain-controler-dc02
11:29:53.249 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:129] -   cert = CN=ucop.edu, OU=ITS, O=University of California Office of the President, STREET=1111 Franklin Street, L=Oakland, ST=CA, OID.2.5.4.17=94607, C=US
11:29:53.250 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:202] - verifyDNS using subjectAltNames = [ad.ucop.edu, domain-controler-dc01, domain-controler-dc01.ucop.edu, domain-controler-dc02, domain-controler-dc02.ucop.edu, domain-controler-dc03, domain-controler-dc03.ucop.edu, domain-controler-dc04, domain-controler-dc04.ucop.edu, domain-controler-dc05, domain-controler-dc05.ucop.edu, domain-controler-dc06, domain-controler-dc06.ucop.edu, domain-controler-dc07, domain-controler-dc07.ucop.edu, domain-controler-dc08, domain-controler-dc08.ucop.edu, domain-controler-dc09]
11:29:53.250 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:210] - verifyDNS found hostname match: domain-controler-dc02
11:29:53.251 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:90] - invoking getAcceptedIssuers invoked for sun.security.ssl.X509TrustManagerImpl@7d529869
11:29:53.252 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:90] - invoking getAcceptedIssuers invoked for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@477600d6
11:29:53.321 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://domain-controler-dc02:3269
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580^@}

…


11:29:53.823 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264] - Begin abort
11:30:08.131 - TRACE [edu.vt.middleware.ldap.pool.BlockingLdapPool:103] - waiting on pool lock for check out 0
11:30:08.132 - TRACE [edu.vt.middleware.ldap.pool.BlockingLdapPool:114] - retrieve available ldap object
11:30:08.132 - TRACE [edu.vt.middleware.ldap.pool.BlockingLdapPool:209] - waiting on pool lock for retrieve available 0
11:30:08.132 - TRACE [edu.vt.middleware.ldap.pool.BlockingLdapPool:219] - retrieved available ldap object: edu.vt.middleware.ldap.Ldap@1292755449::config=edu.vt.middleware.ldap.LdapConfig@1625486953::env={java.naming.provider.url=ldaps://domain-controller-dc01.ucop.edu:3269 ldaps://domain-controller-dc02.ucop.edu:3269 ldaps://domain-controller-dc03.ucop.edu:3269 ldaps://domain-controller-dc04.ucop.edu:3269 ldaps://domain-controller-dc05.ucop.edu:3269, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow}
11:30:08.132 - TRACE [edu.vt.middleware.ldap.pool.DefaultLdapFactory:127] - no activator configured
11:30:08.133 - TRACE [edu.vt.middleware.ldap.pool.DefaultLdapFactory:146] - no passivator configured
11:30:08.133 - TRACE [edu.vt.middleware.ldap.pool.BlockingLdapPool:297] - waiting on pool lock for check in 0
11:30:08.133 - TRACE [edu.vt.middleware.ldap.pool.BlockingLdapPool:306] - returned active ldap object: edu.vt.middleware.ldap.Ldap@1292755449::config=edu.vt.middleware.ldap.LdapConfig@1625486953::env={java.naming.provider.url=ldaps://p-irc-dc01.ucop.edu:3269 ldaps://domain-controller-dc02.ucop.edu:3269 ldaps://domain-controller-dc03.ucop.edu:3269 ldaps://domain-controller-dc04.ucop.edu:3269 ldaps://domain-controller-dc05.ucop.edu:3269, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow}