Adding a vCenter server Single Sign-On Active Directory Identity Source Using LDAPS fails when using an External LDAP Load Balancer
search cancel

Adding a vCenter server Single Sign-On Active Directory Identity Source Using LDAPS fails when using an External LDAP Load Balancer

book

Article ID: 380859

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Cannot add a vCenter Single Sign On (SSO) Active Directory Identity Source using LDAPS using an external load balancer for ldaps

Environment

VMware vCenter Server

Cause

This issue arises when the Active Directory Domain Controllers are configured behind an external load balancer for LDAPS connections.

When vCenter attempts to connect to ldaps://ldap.example.com:636, the load balancer redirects the traffic to one of the servers in the pool.

Additionally, a certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when using ldaps:// in either the primary or secondary LDAP URL.

Resolution

  1. Export the LDAP server certificates for all domain controllers behind the load balancer using OpenSSL command
  2. Identify the list of domain controllers under the load balancer for LDAPS.
  3. Connect to the vCenter Server Appliance with SSH and login as root.
  4. Run the following command to show the LDAP certificate:  openssl s_client -connect dc1.domain.com:636 -showcerts

    1. The full contents of the SSL certificate will be displayed. The certificate chain appears similar to:
      Certificate chain
      0 s:/CN=DC3.example.com
      i:/DC=com/DC=example/CN=cn
      -----BEGIN CERTIFICATE-----
      MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
      ...snip...
      TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
      -----END CERTIFICATE-----
      1 s:/DC=com/DC=example/CN=cn
      i:/CN=BRM-ROOT-CA
      -----BEGIN CERTIFICATE-----
      MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
      ...snip...
      N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
      -----END CERTIFICATE-----
    2. The top most certificate in this chain is the certificate of the domain controller.
    3. Copy the complete string including -----BEGIN CERTIFICATE----- until (including) -----END CERTIFICATE----- into a text file.
    4. Remove any additional characters after -----END CERTIFICATE-----.
    5. Save that file as .cer.
    6. Example: If you have 6 domain controllers under the load balancer, repeat the command for each DC
      openssl s_client -connect dc2.domain.com:636 -showcerts
      openssl s_client -connect dc3.domain.com:636 -showcert

  5. Log in to the vSphere Client using [email protected] credentials.
    1. Browse to Administration Single Sign On > Configuration in the vSphere Client.
    2. Under Identity Provider > Identity Sources, select Active Directory over LDAP and then choose Edit.
    3. Under Primary server URL, enter the domain controller URL, example: ldaps://ldap.example.com
    4. For Certificates (for LDAPS), Click Browse.
    5. Select the correct .cer Root CA certificate for all domain controllers.
    6. Click Save.
    7. Click Add to add the Identity Source.
Powered by Wolken Software