Failed to probe provider connectivity: " Caused by: Can't contact LDAP server " error while configuring Active Directory LDAP
Article ID: 394249
Updated On:
Products
Issue/Introduction
- While configuring Identity source with Active Directory over LDAP on the vCenter Appliance using the vSphere Client, throws the below error:
"Cannot configure identity source due to Failed to probe provider connectivity [URI:ldaps://<LDAP Server FQDN/IP>:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###] Caused by: Can't contact LDAP server"
- In /var/log/vmware/sso/ssoAdminServer.log:
YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[103:pool-2-thread-2] [OpId=####-####-####-####] [com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Failed to probe provider connectivity [URI: ldap://< primary <secondary LDAP server FQDN/IP >:636 ldap:// <secondary LDAP server FQDN/IP >:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###]
at com.vmware.identity.idm.server.IdentityManager.probeProviderConnectivity(IdentityManager.java:2979) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:2646) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:10005) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.client.CasIdmClient.setProvider(CasIdmClient.java:944) ~[vmware-identity-idm-client-7.0.0.jar:?]
at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.updateLdapAuthnType(IdentitySourceManagementImpl.java:601) [sso-adminserver-7.0.0.jar:?]
at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:334) [sso-adminserver-7.0.0.jar:?]
- While running openssl s_client -connect <LDAP server FQDN/IP>:636 -showcerts confirms the port connectivity but AD certificates are not returned.
CONNECTED (00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
-
SSL handshake has read 0 bytes and written 285 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Environment
vCenter Server - 7.0.x
vCenter Server - 8.0.x
Cause
This issue occurs when issuing AD certificates has incorrect SAN name.
Resolution
- Regenerate the AD server certificates and modify the SAN with correct name.
- Configure the Identity source with Active Directory over LDAP with the new set of certificates by referring the following KB - Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)
Feedback
