Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)
search cancel

Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

book

Article ID: 316596

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to configure an Identity Source in vCenter Single Sign-On (SSO) to use a secured LDAP over SSL (LDAPS) connection. This is appropriate in secure environments to encrypt all LDAP traffic in between vCenter Server and the authorizing Identity Source.

Environment

VMware vCenter 7.x
VMware vCenter 8.x

 

Resolution

Caution: This article provides a general how-to guide. Consultation with the Directory Administrators in the organization is recommended for specific procedures.

For information on configuring the LDAP server to use SSL, see the Microsoft article LDAP over SSL (LDAPS) Certificate .
The steps in this article assume that the Domain Controller in question has a valid certificate available and that this certificate has been exported. See the Microsoft article linked above for more details.

Refer to the Active Directory over LDAP and OpenLDAP Server Identity Source Settings documentation
for further information relating to implementing Active Directory over LDAPs

 
To configure an Identity Source in vCenter Single Sign On to use a secured LDAPS:
 
  1. If this is an ELM (Enhanced Linked Mode) environment, please only perform the following steps on a single vCenter, as the IdP configurations will replicate to the other linked vCenter servers.
  2. Take the appropriate snapshot(s) of VCSA VM.
    Note: If ELM, please make sure to take offline snapshots of all linked VCSA VMs before proceeding.
  3. Log in to the vSphere Web Client using an Single Sign On Administrator.
  4. Under Menu, select Administration > Configuration > Identity Sources
  5. Remove the existing Identity source
  6. Click Add and select Active Directory over LDAP to configure a new source
  7. Enter the required information in the Add Identity Source wizard (Active Directory over LDAP)
    1. Specific LDAP URLs that should be added.
    2. Click on Browse next to "Certificates (for LDAPS)" and select the certificates that were exported from the domain controllers specified in the LDAPs URL(s). Refer to LDAP over SSL (LDAPS) Certificate for more details.
    3. The hostname specified in the connection string must be listed in the Domain Controller's Subject Alternative Name (SAN), even if root certificates are provided.

  8. Click on Add and the new source will be listed in the client


Additional Information

Important Information about configuring an LDAPS identity source

  • VMware Skyline Health Diagnostics for vSphere - FAQ
  • If an existing identity source exists with the same domain, that identity source will have to be removed before configuring an LDAPS identity source.
  • If updating or replacing the SSL certificate, the identity source must be removed and re-added. 
  • If the "Username" used during the addition of the Identity Source becomes locked, disabled, or has an expired password, AD user logins to vCenter will fail. The task must be redone, and the AD username and password should be updated.
  • Ensure the account being used to add the identity source is not in a restricted AD group, such as the Protected Users group .
 
vSphere includes an openssl binary located at C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.
 
Run the command to gather the SSL certificate information from any Domain Controller desired:
openssl s_client -connect dc#.domain.com:636 -showcerts

When the openssl connect command completes, the full contents of the SSL certificate are displayed. The root certificate appears similar to:
Certificate chain
0 s:/CN=DC3.example.com
i:/DC=com/DC=example/CN=BRM-CA
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
..........
...snip...
..........
TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
-----END CERTIFICATE-----
1 s:/DC=com/DC=example/CN=BRM-CA
i:/CN=BRM-ROOT-CA
-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
..........
...snip...
..........
N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
-----END CERTIFICATE-----
Insert the entire root certificate section of openssl output into a .cer file.

Note: When snipping text, include the BEGIN and END lines for the last certificate.