Adding a vCenter Single Sign On Active Directory Identity Source fails with the LDAP error: The server requires binds to turn on integrity checking
Article ID: 305833
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Cannot add a vCenter Single Sign On (SSO) Active Directory Identity Source
- Adding an Active Directory Single Sign On Identity Source with a Primary Server URL starting with
ldap://orldaps://fails - Test Connection fails with one of these errors:
[LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]
simple bind failed
Environment
VMware vCenter Server 5.1.x
Cause
This issue occurs if the Active Directory Domain is configured with a Group Policy that requires all LDAP connections to be secured with SSL (ldaps required) and the Domain controller: LDAP server signing requirements policy is set to
A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use
Require signing.A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use
ldaps:// in the primary or secondary LDAP URL.Resolution
To resolve this issue:
- Log in to the vSphere Web Client using the
Admin@System-Domaincredentials. - Browse to Administration > Sign-On and Discovery > Configuration in the vSphere Web Client.
- Open the Edit Identity Source by right-clicking on the dialog of the Identity Source you want to edit.
- Change the URL from
ldap://...toldaps://.... - Click Choose Certificate.
- Select the correct
.cerRoot CA certificate of your AD/OpenLdap Identity Source. - Click Test Connection.
- Click OK.
For more information on using a LDAPS Identity Source with vCenter Single Sign-On, see Configuring a vCenter Single Sign-On 5.1 Identity Source using LDAP with SSL (LDAPS) (2041378).
Additional Information
To Configure an Active Directory Domain for LDAP over SSL (LDAPS), see the Microsoft TechNet article LDAP over SSL (LDAPS) Certificate.
To obtain the trust certificate for use with SSO, see the Exporting the LDAPS Certificate and Importing for use with AD DS section of LDAP over SSL (LDAPS) Certificate.
Note: The preceding links were correct as of November 21, 2012. If you find a link is broken, provide feedback and a VMware employee will update the link.
Configuring a vCenter Single Sign-On 5.1 Identity Source using LDAP with SSL (LDAPS)
vCenter Single Sign On Active Directory ID ソースの追加が LDAP エラー [The server requires binds to turn on integrity checking] で失敗する
添加 vCenter Single Sign On Active Directory 标识源失败,并出现“服务器需使用绑定才能打开完整性检查”LDAP 错误
To obtain the trust certificate for use with SSO, see the Exporting the LDAPS Certificate and Importing for use with AD DS section of LDAP over SSL (LDAPS) Certificate.
Note: The preceding links were correct as of November 21, 2012. If you find a link is broken, provide feedback and a VMware employee will update the link.
Configuring a vCenter Single Sign-On 5.1 Identity Source using LDAP with SSL (LDAPS)
vCenter Single Sign On Active Directory ID ソースの追加が LDAP エラー [The server requires binds to turn on integrity checking] で失敗する
添加 vCenter Single Sign On Active Directory 标识源失败,并出现“服务器需使用绑定才能打开完整性检查”LDAP 错误
Feedback
Yes
No
Powered by
