AD over LDAPS authentication fails in vCenter Server 8.0 U2 when SSL renegotiation is disabled on load balancers
search cancel

AD over LDAPS authentication fails in vCenter Server 8.0 U2 when SSL renegotiation is disabled on load balancers


Article ID: 344896


Updated On:


VMware vCenter Server


  • After upgrading to vCenter Server 8.0 U2, authentication fails with an error code -1. 
  • Messages in websso.log and ssoAdminServer.log report the error "cannot bind connection
2023-10-10T13:13:13.726Z WARN websso[85:tomcat-http--48] [CorId=9f0942aa-8888-4277-6661-70597105802] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://domain.example.local:636, CN=adminuser,OU=Accounts,DC=example,DC=local]
  • When running the following command from an SSH session on the vCenter, it reports "unsafe legacy renegotiation disabled" in the second line.
openssl s_client -connect <Active Directory DC FQDN>:636
C03195EB547F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893:



VMware vCenter Server 8.0.2


In vCenter 8.0U2, OpenSSL was updated from 1.1 to 3.1.  This new version of OpenSSL 3.1 uses secure defaults that disable the older insecure TLS renegotiation.  vCenter 8.0U2 permits only secure renegotiation per RFC 5746.  In addition, vCenter's OpenSSL 3.1 uses renegotiation on all outbound LDAPS connections.

Some load balancers deny all renegotiation by default. As a result, they will block vCenter's SSL renegotiation attempts, which terminates the SSL connection and causes authentication to fail.


VMware is aware of this issue and working towards a fix in a future release.

There are several ways to workaround this issue:

Option 1
Permit Secure TLS Renegotiation at the Load Balancer (Recommended)

Load balancers such as Citrix NetScalers use SSL Profiles to configure SSL protocol handling on a per-server, per-service, or per-port basis and support separate internal and external configuration. To workaround this issue, locate the SSL Profile used by vCenter, then change the denySSLReneg setting to NONSECURE. This will permit secure negotiation, resolving the issue. For more information, see the following Citrix documents: For other Load Balancer solutions, please consult the documentation provided by the given vendor about configuring SSL renegotiation.

Option 2
Set up the LDAPS connection URL to bypass the load balancer.

You may also work around this issue by setting the connection URL in the identity source to specify a domain controller rather than using the load balancer. Please note that this will only work if the network traffic from the vCenter to the Domain Controller is not still being routed through the load balancer.
  1. In the vSphere Client, navigate to Administration.
  2. Select Configuration under Single Sign On.
  3. Within the Identity Sources section, select the AD over LDAP identity source and click Edit.
  4. Update the Primary server URL to connect directly to a domain controller instead of the load balancer.
  5. Click Save.
Note: If bypassing the load balancer requires a different certificate to be used, the identity source will need to be recreated using the correct one from the domain controller specified in the connection URL.

Additional Information

This will not affect connections which use TLSv1.3, as renegotiation is not used in those cases.