AD over LDAPS authentication fails in vCenter Server 8.0 U2 when SSL renegotiation is disabled on load balancers
Article ID: 344896
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- After upgrading to vCenter Server 8.0 U2, authentication fails with an error code -1.
- Messages in websso.log and ssoAdminServer.log report the error "cannot bind connection"
2023-10-10T13:13:13.726Z WARN websso[85:tomcat-http--48] [CorId=9f0942aa-8888-4277-6661-70597105802] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://domain.example.local:636, CN=adminuser,OU=Accounts,DC=example,DC=local]
- When running the following command from an SSH session on the vCenter, it reports "unsafe legacy renegotiation disabled" in the second line.
openssl s_client -connect <Active Directory DC FQDN>:636
CONNECTED(00000003)
C03195EB547F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893:
C03195EB547F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893:
Environment
VMware vCenter Server 8.0.2
Cause
In vCenter 8.0U2, OpenSSL was updated from 1.1 to 3.1. This new version of OpenSSL 3.1 uses secure defaults that disable the older insecure TLS renegotiation. vCenter 8.0U2 permits only secure renegotiation per RFC 5746. In addition, vCenter's OpenSSL 3.1 uses renegotiation on all outbound LDAPS connections.
Some load balancers deny all renegotiation by default. As a result, they will block vCenter's SSL renegotiation attempts, which terminates the SSL connection and causes authentication to fail.
Some load balancers deny all renegotiation by default. As a result, they will block vCenter's SSL renegotiation attempts, which terminates the SSL connection and causes authentication to fail.
Resolution
Workaround:
There are several ways to workaround this issue:
Option 1
Permit Secure TLS Renegotiation at the Load Balancer (Recommended)
Load balancers such as Citrix NetScalers use SSL Profiles to configure SSL protocol handling on a per-server, per-service, or per-port basis and support separate internal and external configuration. To workaround this issue, locate the SSL Profile used by vCenter, then change the denySSLReneg setting to NONSECURE. This will permit secure negotiation, resolving the issue. For more information, see the following Citrix documents: For other Load Balancer solutions, please consult the documentation provided by the given vendor about configuring SSL renegotiation.
Option 2
Set up the LDAPS connection URL to bypass the load balancer.
You may also work around this issue by setting the connection URL in the identity source to specify a domain controller rather than using the load balancer. Please note that this will only work if the network traffic from the vCenter to the Domain Controller is not still being routed through the load balancer.
There are several ways to workaround this issue:
Option 1
Permit Secure TLS Renegotiation at the Load Balancer (Recommended)
Load balancers such as Citrix NetScalers use SSL Profiles to configure SSL protocol handling on a per-server, per-service, or per-port basis and support separate internal and external configuration. To workaround this issue, locate the SSL Profile used by vCenter, then change the denySSLReneg setting to NONSECURE. This will permit secure negotiation, resolving the issue. For more information, see the following Citrix documents: For other Load Balancer solutions, please consult the documentation provided by the given vendor about configuring SSL renegotiation.
Option 2
Set up the LDAPS connection URL to bypass the load balancer.
You may also work around this issue by setting the connection URL in the identity source to specify a domain controller rather than using the load balancer. Please note that this will only work if the network traffic from the vCenter to the Domain Controller is not still being routed through the load balancer.
-
-
- In the vSphere Client, navigate to Administration.
- Select Configuration under Single Sign On.
- Within the Identity Sources section, select the AD over LDAP identity source and click Edit.
- Update the Primary server URL to connect directly to a domain controller instead of the load balancer.
- Click Save.
-
Note: If bypassing the load balancer requires a different certificate to be used, the identity source will need to be recreated using the correct one from the domain controller specified in the connection URL.
Additional Information
This will not affect connections which use TLSv1.3, as renegotiation is not used in those cases.
Feedback
Yes
No
Powered by
