Impact of 2020 LDAP Channel Binding and LDAP Signing requirement for Microsoft Windows in vCenter Server
Article ID: 309018
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Microsoft had released a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes. The purpose of this security update is to harden security against man-in-middle attacks by requiring ldap binds to be signed. To avoid any system environment compatibility issues, Microsoft strongly advise administrators to enable LDAP channel binding and LDAP signing between now and mid-January 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment. If any compatibility issue is found, administrators will need to contact the manufacturer of that particular OS, application or device for support.
To learn more, please refer to: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
vCenter server with AD over LDAP fail to login users with message "Strong(er) authentication required"
Configuring AD over LDAP fails with Error ""Failed to probe provider connectivity [URI: ldap://vCenter/PSC FQDN:389 ]; tenantName [vsphere.local], userName [CN=Administrator,CN=Users,DC=SSODOMAIN,DC=com] Caused by: Strong(er) authentication required"
To learn more, please refer to: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
vCenter server with AD over LDAP fail to login users with message "Strong(er) authentication required"
Configuring AD over LDAP fails with Error ""Failed to probe provider connectivity [URI: ldap://vCenter/PSC FQDN:389 ]; tenantName [vsphere.local], userName [CN=Administrator,CN=Users,DC=SSODOMAIN,DC=com] Caused by: Strong(er) authentication required"
Environment
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Resolution
vCenter server identity source can be configured as AD over LDAP, AD over LDAPs or vCenter Server supports federated authentication.
Refer to vSphere Authentication documentation.
For users who have vCenter's configured with AD over LDAP can switch to vCenter Server Identity Provider Federation or Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)
For users who have vCenter's configured with AD over LDAP can switch to vCenter Server Identity Provider Federation or Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)
Additional Information
A blog article discussing this can be found here: https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html
Feedback
Yes
No
Powered by
