When configuring AD over LDAP, the configuration wizard errors out with "Stronger authentication required".

LDAP ports 389 and 3268 are open from the vCenter server to the domain controller.

Issue does not occur when LDAPS is used instead of LDAP.

• VMware vCenter Server Appliance 8.0
• VMware vCenter Server Appliance 7.0

This issue is observed when LDAP is disabled on the domain controller or if the domain controller is configured to reject LDAP connections.

This is an expected behavior due to LDAP being disabled on the domain controller.

If the option "any domain controller in the domain" is selected during configuration, the connection from vCenter to the domain controller defaults to LDAP.

To force the connection on LDAPS, provide the signing certificate of the domain controller during AD over LDAP configuration.

Note:

If "any domain controller in the domain" option is selected and the DC's signing certificates are supplied, then the certificate of the domain controller should also include the DNS name of the domain along with the DNS name of the DC in the SAN field. If not, IDP configuration will error out with "Can't contact LDAP server".
Ex: dns=dc.test.local
      dns=test.local

The above scenario is also applicable if "specific domain controller" option with LDAPS is selected with just the domain name instead of a specific DC.
Ex: ldaps://test.local instead of ldaps://dc.test.local