Specify admin@system-domain for the field 'vCenter Server administrator recognized by vCenter Single Sign-On' during vCenter Server Installation to get ride of the 'wrong input....' error.
By default this field will select the Local Administrators group. Don't select that change it to admin@system-domain and Uncheck the check box.
Login to the WebClient using the same SSO Admin Account ie.admin@system-domain --> Administration --> Sign-On Discovery --> Configuration --> Add Identity Source (if LDAP Source is not already). If LDAP connection is existing edit and verify the Base DN Details. You would need to specify it as CN=XYZUsers,DC=domain,DC=net. Also Test the Connection using an account which has admin access to the AD.
Hope this clarifies in detail.