AD authentication failure in vCenter due to LDAPS certificate mismatch
search cancel

AD authentication failure in vCenter due to LDAPS certificate mismatch

book

Article ID: 383112

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Login attempts to vSphere client using AD accounts fails with message "invalid credentials".
  • websso.log (log path: /var/log/vmware/sso/websso.log) reports inability to bind connection to the domain controller

YYYY-MM-DDTHH:MM WARN websso[87:tomcat-http--##] [CorId=3fe9####-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://<DomainController_FQDN>:3269, <Domain_name>\\<AD_username>]
YYYY-MM-DDTHH:MM ERROR websso[87:tomcat-http--##] [CorId=3fe9####-####-####-####-############] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://<DomainController_FQDN>:3269] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
YYYY-MM-DDTHH:MM ERROR websso[87:tomcat-http--##] [CorId=3fe9####-####-####-####-############] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server\nLDAP error [code: -1]

  • Subsequent logs in websso.log indicates the leaf certificate presented by the Domain Controller (DC) during the LDAPS negotiation failed verification against the trusted root/intermediate certificates residing in the VMware Endpoint Certificate Store (VECS).

YYYY-MM-DDTHH:MM ERROR websso[56:tomcat-http--10] [CorId=3fe9####-####-####-####-############] [com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate verification failed for [Subject: ] [SHA1 Fingerprint:F1:96:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:45].: \nServer SSL certificate not a trusted certificate nor signed by a trusted certificate\n\nServer SSL certificate.
\n\n]\njava.security.SignatureException: Signature does not match.\n\nTrusted certificate 1:

  • LDAPS certificate in the domain controller had been renewed and the certificate had not been updated in the vCenter identity source.

Environment

  • vCenter 7.x
  • vCenter 8.x

Cause

A certificate trust mismatch occurs when the LDAPS certificate presented by the Domain Controller (DC) does not match the certificates stored in the vCenter identity source.

Resolution

1. Run the following command in vCenter SSH to see the certificates currently stored for LDAPS AD servers:

d1=$( cat /etc/vmware/install-defaults/vmdir.domain-name | sed -E 's/\./,/g ; s/([,^]+)/\0dc=/g ;s/^/dc=/' );d2=$(cat /etc/vmware/install-defaults/vmdir.domain-name );psc=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost | cut -d / -f 3 | cut -d : -f 1);/opt/likewise/bin/ldapsearch -LLL -h $psc -p 389 -b "cn=IdentityProviders,cn=$d2,cn=Tenants,cn=IdentityManager,cn=Services,$d1" -D "cn=administrator,cn=users,$d1" -W '(objectclass=vmwSTSIdentityStore)' userCertificate

2. Run the following command to see the live certificates being presented from the LDAPS servers:

echo -n | openssl s_client -connect <LDAPS_FQDN>:<LDAPS_Port> -showcerts 

Example:
echo -n | openssl s_client -connect ADserver.example.com:636 -showcerts 

3. Compare the outputs from the above commands for each LDAPS servers to validate the certificate mismatch.

4. Upon confirmation of the certificate mismatch, remove the existing AD over LDAP identity source and re-configure the AD over LDAP identity source in vCenter for the domain having issues with the correct LDAPS certificate chain.

Refer KB Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS) to configure  AD over LDAP identity source.

Powered by Wolken Software