LDAPs authentication for AD users on the vCenter Server is not working
search cancel

LDAPs authentication for AD users on the vCenter Server is not working

book

Article ID: 316339

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to add or configure an Identity Source in vSphere, you encounter an error stating - "Check the network settings and make sure you have network access to the identity source"

  • Error: "Cannot configure identity source due to Failed to probe provider connectivity"

[URI: ldaps://AD1-server:636]; tenantName [vsphere.local], userName [[email protected]]

Caused by: Can't contact LDAP server.

  • /var/log/vmware/sso/ssoAdminServer.log

800Z ERROR ssoAdminServer[146:pool-2-thread-45] [OpId=mdsrlbks-######-auto-gfc-h5:########] [com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate verification failed for [Subject: ] [SHA1 Fingerprint: ####-#####]##-######-####-####-##-########}].: No match found in the trusted certificates store.

WARN ssoAdminServer[146:pool-2-thread-45] [OpId=mdsrlbks-#####-auto-gfc-h5:#######] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1

  • /var/log/vmware/sso/websso.log shows an inability to connect to the Domain Controller via LDAPS (port 636) as highlighted in the sections below:

Cannot establish connection with url: ldaps://<AD1-server:636>

msZ tomcat-http--29 vsphere.local        da18bc82-65c3-46c2-b5b0-6ee554d9d030 ERROR com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider] Failed to retrieve upnSuffixes in AD over LDAP provider '<example.com>'
msZ tomcat-http--50 vsphere.local        5f44813d-fb70-4f4e-9b0c-d7d3ce7ae66f ERROR com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate verification failed for [Subject: ] [SHA1 Fingerprint: ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##].: No match found in the trusted certificates store.
msZ tomcat-http--50 vsphere.local        5f44813d-fb70-4f4e-9b0c-d7d3ce7ae66f ERROR com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Server SSL certificate not trusted; bytes:
msZ INFO websso[46:tomcat-http--8] [CorId=20d483c5-b45c-4ca1-8b10-72dc5eef####] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [domain\\AD_user]. Access denied], detailText=[Access denied], corelationId=[20d483c5-b45c-4ca1-8b10-72dc5eef####], timestamp=[####493980814]
msZ ERROR websso[46:tomcat-http--8] [CorId=20d483c5-b45c-4ca1-8b10-72dc5eef####] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [domain\\AD_user]. Access denied
com.vmware.identity.idm.IDMLoginException: Access denied

msZ INFO websso[46:tomcat-http--8] [CorId=20d483c5-b45c-4ca1-8b10-72dc5eef####] [com.vmware.identity.samlservice.impl.SAMLAuthnResponseSender] Responded with ERROR 401 message Invalid credentials
...77193\n\n\n[5]: ObjectId: 1.3.6.1.5.#.#.#.# Criticality=false\nAuthorityInfoAccess [\n  [\n   accessMethod: caIssuers\n   accessLocation: URIName: http://pki.domain.name/CertEnroll/IssuingCA.crt\n, \n   accessMethod: caIssuers\n   accessLocation: URIName: ldap:///CN=IssuingCA,CN=XYZ,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=name?cACertificate?base?objectClass=certificationAuthority\n]\n]\n\n[6]: ObjectId: 2.5.#.# Criticality=false\nAuthorityKeyIdentifier [\nKeyIdentifier [\n0000: 555 25 71 F1 ## ## ## ## ## ## ## ## F8 7C 18 F9  U%q..w..<.......\n0010: E3 0E ## ##                                        ..&l\n]\n]\n\n[7]: ObjectId: 2.5.#.# Criticality=false\nExtendedKeyUsages [\n  1.3.6.1.5.2.#.#\n  serverAuth\n  clientAuth\n]\n\n[8]: ObjectId: 2.5.29.15 Criticality=true\nKeyUsage [\n  DigitalSignature\n  Key_Encipherment\n]\n\n[9]: ObjectId: 2.5.#.# Criticality=false\nSubjectAlternativeName [\n  Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.#.#\n  DNSName: FQDN_DC\n]\n\n[10]: ObjectId: 2.5.#.# Criticality=false\nSubjectKeyIdentifier [\nKeyIdentifier [\n0000: 06 16 7F EE ## ## ## ## ## ## ## ## 97 D2 32 9E  ......N...df..2.\n0010: XX C4 1F XX                                        ....\n]\n]\n\nUnparseable certificate extensions: 1\n[1]: ObjectId: 2.5.#.# Criticality=false\nUnparseable CRLDistributionPoints extension due to\njava.io.IOException: invalid URI name:ldap:///CN=IssuingCA,CN=01#####1EFGWIN####,CN=EFG,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=name?certificateRevocationList?base?objectClass=cRLDistributionPoint \n\n0000
....security.SignatureException: Signature does not match.

msZ ERROR websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Server SSL certificate not trusted: Subject (CN=Shortname_DC,OU=Domain Controllers,DC=example,DC=com)
msZ WARN websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1
msZ WARN websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.idm.server.ServerUtils] cannotbind connection: [ldaps://FQDN_DC:636, [email protected]]
msZ ERROR websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://FQDN_DC:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
msZ ERROR websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]
msZ ERROR websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.idm.server.IdentityManager] Failed to checkUserAccountFlags principal [domain\\AD_user] for tenant [vsphere.local]
msZ INFO websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [domain\\AD_user]. Login failed], detailText=[Login failed], corelationId=[367d6ff7-4a18-479d-a9cb-d5a9c797####], timestamp=[####491805838]
msZ ERROR websso[44:tomcat-http--6] [CorId=367d6ff7-4a18-479d-a9cb-d5a9c797####] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [domain\\AD_user]. Login failed
javax.security.auth.login.LoginException: Login failed

 

  • /var/log/vmware/sso/ssoAdminServer.log

String[170]\n\n\njava.security.SignatureException: Certificate does not verify with supplied key
[timestamp] ERROR ssoAdminServer[134]####-#-######-## [####-#####]##-######-####-####-##-######## [com.vmware.identity.interop.ldap.OpenLdapC
lientLibrary] Server SSL certificate not trusted: Subject (CN=##-######-####-####-##-########)
[timestamp] WARN ssoAdminServer[134]####-#-######-## [####-#####]##-######-####-####-##-######## [com.vmware.identity.interop.ldap.LdapErro
rChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1
[timestamp] WARN ssoAdminServer[134]####-#-######-## [####-#####]##-######-####-####-##-######## [com.vmware.identity.ldap.server.ServerUtils]
cannot bind connections: [ldaps://#####-####-####-##-########, CN=###-####-#####,OU=Service Accounts,OU=###,DC=###,DC=###,DC=###,DC=###]
[timestamp] ERROR ssoAdminServer[134]####-#-######-## [####-#####]##-######-####-####-##-######## [com.vmware.identity.ldap.server.ServerUtils]
cannot establish ldap connection with URI: [ldaps://#####-####-####-##-########] because [com.vmware.identity.interop.ldap.ServerDownLdapException]: with
reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
[timestamp] WARN ssoAdminServer[134]####-#-######-## [####-#####]##-######-####-####-##-######## [com.vmware.identity.Idm.server.IdentityMana
ger] Failed to probe provider connectivity [URI: ldaps://#####-####-####-##-######## /] tenantName [vsphere.local], userName [CN=###-####-#####,OU=Service

 

When comparing the /var/log/vmware/sso/websso.log file entries with the output of the /opt/vmware/bin/sso-config.sh -get_identity_sources command, AD over LDAPS issuer certificates were found to have differing validity periods.

  • /var/log/vmware/vpxd/vpxd.log confirms authentication failures for users from the associated AD domain

msZ error vpxd[04839] [Originator@6876 sub=User opID=########] Failed to authenticate user <[email protected]>

Environment

  • vCenter 8.0.x

Cause

An expired Active Directory certificate is currently preventing vCenter Server from establishing a connection with the AD server.

Resolution

To resolve the issue, follow the steps below.

  1. Delete the current Identity Source
    • Login to the vSphere Client and navigate to: Menu > Administration > Single Sign On > Configuration > Identity Provider  > Identity Sources > Remove the current Identity source
  2. Connect to the vCenter Server via SSH session.
  3. Run the below command to validate the AD certificate:

openssl s_client -connect <domain controller>:636 -showcerts

    • Sample output

-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAA
BDANBgkqhkiG9w0BADSHDFSJnjdwEQYK
..........snip..........
TmqX6mnsaxcjushyuVGYHGVBJKNW5Z5L
hYZhHKsf9CmZa12j/ODfznFtAgbPNw==
-----END CERTIFICATE-----

  1. Copy the certificate to a file with the .cer extension.
  2. Once copied, login to the vSphere Client and navigate to: Menu > Administration >      Single Sign On > Configuration > Identity Provider  > Identity Sources > Add
  3. See the below example configuration:

             

 

 

 

  1. Click on edit and update the existing configuration with the new certificate.  If this does not work, you may need to delete the existing Active Directory over LDAP Identity Source and recreate it using the new certificate.

Note: If you have an existing Identity Source with the same name, you will not be able to add both at the same time

 

Additional Information

  • Active Directory users will not be able to communicate with the domain for authentication and users receive the error "Failed to authenticate user."
Powered by Wolken Software