Single Sign-On Identity Source configuration using LDAPS in vSphere Client
Article ID: 316596
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Configure an Identity Source in vCenter SSO using secured LDAPS. This configuration encrypts all authentication traffic between vCenter Server and the Domain Controller.
For instructions configuring AD/LDAP(S) as an identity provider in VCF 9.x, see Configure Active Directory as an Identity Provider Using AD/LDAP.
Environment
VMware vCenter 7.x
VMware vCenter 8.x
VMware vCenter 9.x
Resolution
Caution: This article provides a general how-to guide. Consultation with the Directory Administrators in the organization is recommended for specific procedures.
For information on configuring the LDAP server to use SSL, see the Microsoft article LDAP over SSL (LDAPS) Certificate .
The steps in this article assume that the Domain Controller in question has a valid certificate available and that this certificate has been exported. See the Microsoft article linked above for more details.
Refer to the Active Directory over LDAP and OpenLDAP Server Identity Source Settings documentation for further information relating to implementing Active Directory over LDAPs.
For information on configuring the LDAP server to use SSL, see the Microsoft article LDAP over SSL (LDAPS) Certificate .
The steps in this article assume that the Domain Controller in question has a valid certificate available and that this certificate has been exported. See the Microsoft article linked above for more details.
Refer to the Active Directory over LDAP and OpenLDAP Server Identity Source Settings documentation for further information relating to implementing Active Directory over LDAPs.
Step 1: Extract certificate details from the active directory domain controller
- The vCenter Server appliance includes an openssl binary.
- The following command gathers the entire SSL certificate chain from the desired Domain Controller:
openssl s_client -showcerts -connect dc.domain.com:636 </dev/null 2>/dev/null|openssl x509 -outform PEM - When the openssl connect command completes, the full contents of the SSL certificate are displayed. The root certificate appears similar to:
Certificate chain0 s:/CN=DC.example.comi:/DC=com/DC=example/CN=###-CA-----BEGIN CERTIFICATE-----##############################################################.............snip.............
##############################################################-----END CERTIFICATE-----1 s:/DC=com/DC=example/CN=###-CAi:/CN=###-ROOT-CA-----BEGIN CERTIFICATE-----##############################################################.............snip.............##############################################################
-----END CERTIFICATE----- - Copy the entire root certificate section from the openssl output and paste it into a new .cer file.
Note:
- The hostname specified in the connection string must be listed in the Domain Controller's certificate Subject Alternative Name (SAN), even if root certificates are provided.
- When copying the text, ensure to include the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines for the certificate.
Step 2: To configure an Identity Source in vCenter Single Sign On to use a secured LDAPS:
If this is an ELM (Enhanced Linked Mode) environment, only perform the following steps on a single vCenter, as the IdP configurations replicate to the other linked vCenter servers.
Take the appropriate snapshot(s) of vCenter Server.
Note: If Enhanced Linked Mode, make sure to take offline snapshots of all linked vCenter virtual machines before proceeding.Log in to the vSphere Client using a Single Sign On Administrator.
Under Menu, select Administration > Configuration > Identity Sources.
- Remove the existing Identity source.
- Click Add and select Active Directory over LDAP to configure a new source.
- Enter the required information in the Add Identity Source wizard (Active Directory over LDAP).
- Specific LDAP URLs that should be added.
- Click on Browse next to "Certificates (for LDAPS)" and select the certificates exported from the domain controllers specified in the LDAPs URL(s).
Refer to LDAP over SSL (LDAPS) Certificate in the documentation for more details. - The hostname specified in the connection string must be listed in the Domain Controller's Subject Alternative Name (SAN), even if root certificates are provided.
- Click on Add and the new source will be listed in the client:
Additional Information
Important Information about configuring an LDAPS identity source:
- "If an existing identity source exists with the same domain, that identity source must be removed before configuring an LDAPS identity source.
- If updating or replacing the SSL certificate, the identity source must be removed and re-added.
- If the "Username" used during the addition of the Identity Source becomes locked, disabled, or has an expired password, AD user logins to vCenter fail. The task must be redone, and the AD username and password should be updated.
- Ensure the account being used to add the identity source is not in a restricted AD group, such as the Protected Users group.
Feedback
Yes
No
Powered by
