Removal of Integrated Windows Authentication

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

This article provides information on the removal of the Integrated Windows Authentication (IWA) in the next major release after vSphere 8.0

Environment

VMware vSphere 7.0.x

VMware vSphere 8.0.x

Resolution

Integrated Windows Authentication (IWA) will be removed in the next major release after vSphere 8.0 Update 3 as announced in the release notes.

What does removal of IWA mean?
Customers are encouraged to migrate to a federated Identify Provider such as Okta, Entra ID, PingFederate, or Active Directory Federation Services (AD FS). See vSphere documentation for more details.

Active Directory over LDAPS (AD over LDAPS) is also available. KB 344919 describes important considerations when moving from IWA to AD over LDAPS.

When will support be removed?
Support for IWA will be removed from the next major release of vCenter after 8.0. ESXi will continue to support Active Directory authentication, but IWA functionalities like Windows Session Authentication (SSPI) will be removed in a future ESXi release.

What will happen when I upgrade my vCenter?
Upgrading to vSphere version 8.0 Update 3 or earlier will retain IWA settings with no change in authentication functionality. You will need to remove the IWA configuration before upgrading vCenter to the next major release after 8.0 Update 3.

What will happen when I upgrade my ESXi?
While IWA deprecation has been announced, Active Directory will still be supported for ESXi in the next major release after 8.0 Update 3. Therefore, upgrading ESXi will retain Active Directory settings with no change in authentication functionality. IWA functionalities like Windows Session Authentication (SSPI) will be removed in a future ESXi release.

Additional Information

VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023)
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html

IWA uses unsigned LDAP behind the scenes to allow searching users and groups, and this will stop working. This may impact the ability to add users & groups to authentication configurations.

Who Is Affected?

If you have configured vCenter Server to access Active Directory over LDAP with TLS (LDAPS) or Identity Federation you will not be affected by this. You can check this by viewing your Identity Sources in the vSphere Client
Considerations when migrating a vCenter Identity Source from Integrated Windows Authentication to AD over LDAP / OpenLDAP https://knowledge.broadcom.com/external/article?legacyId=90124
Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS) https://knowledge.broadcom.com/external/article?legacyId=2041378