vCenter server is unable to authenticate AD users with LDAPs configured
search cancel

vCenter server is unable to authenticate AD users with LDAPs configured

book

Article ID: 316339

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • When attempting to configure an Identity Source, you see the following error in the vSphere Web Client:
    Check the network settings and make sure you have network access to the identity source
  • /var/log/vmware/sso/websso.log shows the below error:
    cannot establish connection with uri: ldaps://<FQDN_DC:636>
    YYYY-MM-DDThh:mm:ss.msZ tomcat-http--29 vsphere.local        da18bc82-65c3-46c2-b5b0-6ee554d9d030 ERROR com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider] Failed to retrieve upnSuffixes in AD over LDAP provider '<domain.name>'
    YYYY-MM-DDThh:mm:ss.msZ tomcat-http--50 vsphere.local        5f44813d-fb70-4f4e-9b0c-d7d3ce7ae66f ERROR com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate verification failed for [Subject: ] [SHA1 Fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX].: No match found in the trusted certificates store.
    YYYY-MM-DDThh:mm:ss.msZ tomcat-http--50 vsphere.local        5f44813d-fb70-4f4e-9b0c-d7d3ce7ae66f ERROR com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Server SSL certificate not trusted; bytes:
  • /var/log/vmware/vpxd/vpxd.log shows the below error:
    YYYY-MM-DDThh:mm:ss.msZ error vpxd[04839] [Originator@6876 sub=User opID=58a82c56] Failed to authenticate user <[email protected]>

Environment

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

Cause

AD certificate expired and vCenter server is not able to communicate with AD server

Resolution

  1. Delete the current Identity Source
    • Login to the vSphere Web Client and navigate to: Menu --> Administration --> Single Sign On --> Configuration --> Identity Provider  --> Identity Sources > Remove the current Identity source
  2. Connect to the vCenter Server via SSH session.
  3. Run the below command to validate the AD certificate:
    openssl s_client -connect <domain controller>:636 -showcerts

    Sample output

    -----BEGIN CERTIFICATE-----
    MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAA
    BDANBgkqhkiG9w0BADSHDFSJnjdwEQYK
    ..........snip..........
    TmqX6mnsaxcjushyuVGYHGVBJKNW5Z5L
    hYZhHKsf9CmZa12j/ODfznFtAgbPNw==
    -----END CERTIFICATE-----
  4. Copy the certificate to a file with the .cer extension.
  5. Once copied, login to the vSphere Web Client and navigate to: Menu --> Administration --> Single Sign On --> Configuration --> Identity Provider  --> Identity Sources > Add 
    Please see the below example configuration:

  6. Click on edit and update the existing configuration with the new certificate.  If this does not work, you may need to delete the existing Active Directory over LDAP Identity Source and recreate it using the new certificate.

    Note:  If you have an existing Identity Source with the same name, you will not be able to add both at the same time

Additional Information

AD users will not be able to communicate with the AD for authentication and users receive an error Failed to authenticate user