Adding a vCenter Single Sign On Active Directory Identity Source fails with the LDAP error: The server requires binds to turn on integrity checking
search cancel

Adding a vCenter Single Sign On Active Directory Identity Source fails with the LDAP error: The server requires binds to turn on integrity checking

book

Article ID: 305833

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Cannot add a vCenter Single Sign On (SSO) Active Directory Identity Source
  • Adding an Active Directory Single Sign On Identity Source with a Primary Server URL starting with ldap:// or ldaps:// fails
  • Test Connection fails with one of these errors:

    • [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]

    • simple bind failed


Environment

VMware vCenter Server

Cause

This issue occurs if the Active Directory Domain is configured with a Group Policy that requires all LDAP connections to be secured with SSL (ldaps required) and the Domain controller: LDAP server signing requirements policy is set to Require signing.

A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.

Resolution

To resolve this issue:

  1. Log in to the vSphere Client using [email protected] credentials.
  2. Browse to Administration > Single Sign On > Configuration in the vSphere Client.
  3. Under Identity Provider > Identity Sources, select your identity source and then choose Edit.
  4. Under Primary server URL, change the URL from ldap://... to ldaps://....
  5. For Certificates (for LDAPS), Click Browse.
  6. Select the correct .cer Root CA certificate of your AD/OpenLdap Identity Source.
  7. Click Save.
For more information on using a LDAPS Identity Source with vCenter Single Sign-On, see Add or Edit a vCenter Single Sign-On Identity Source.



Additional Information

To Configure an Active Directory Domain for LDAP over SSL (LDAPS), see the Microsoft TechNet article LDAP over SSL (LDAPS) Certificate.

To obtain the trust certificate for use with SSO, see the Exporting the LDAPS Certificate and Importing for use with AD DS section of LDAP over SSL (LDAPS) Certificate.



Powered by Wolken Software