Renewing Identity source LDAPS Certificate fails with the error "Cannot configure identity source due to Failed probe provider connectivity [URI: ldaps://xxxx.xxxx.com] caused by can't contact LDAP server"
Article ID: 402946
Updated On:
Products
Issue/Introduction
When attempting to configure or update the identity source with the new LDAPS certificate, the vCenter UI displays the following error in UI,
In ssoAdminServer.log
Path: /var/log/vmware/sso
INFO ssoAdminServer[104:pool-2-thread-10] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: XXXX, Domain: XXXX.com} with role 'Administrator' is authorized for method call 'IdentitySourceManagementService.updateLdapAuthnType'INFO ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [auditlogger] {\"user\":\"[email protected]\",\"client\":\"\",\"timestamp\",\"description\":\"Updating the authentication type of ldap identity source with name 'XXXX.com' to 'password'\",\"eventSeverity\":\"INFO\",\"type\":\"com.vmware.sso.IdentitySourceManagement\"}INFO ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] [User {Name: XXXX, Domain: XXXX.com} with role 'Administrator'] Updating the authentication type of ldap identity source with name 'XXXX.com' to 'password'ERROR ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate verification failed for [Subject: CN=XXXX.XXXX.com,OU=XX,O=XX,L=XX,ST=XX,C=US] [SHA1 Fingerprint: xx:xx:xx:xx].: No match found in the trusted certificates store.ERROR ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Server SSL certificate not trusted;
......WARN ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1WARN ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://XXXX.XXXX.com, [email protected]]ERROR ssoAdminServer[97:pool-2-thread-3] [OpId=mcdmduu3-92230-auto-1z60-h5:70011596] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://xxxx.xxxx.com] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
Environment
vCenter Server 7.x
vCenter Server 8.x
Cause
vCenter's Secure LDAP requires pre-designated trusted root certificates for secure connection.
If certificate validation fails (e.g., due to changes), delete and re-add the identity source.
Resolution
By design, vCenter's Secure LDAP requires strict certificate validation against trusted roots. When external changes (e.g., certificate renewals, CA alterations) compromise this trust, the established connection is invalidated.
The recommended resolution is to remove and then re-add the existing Secure LDAP Identity Source. This process re-establishes a valid trust relationship.
For step-by-step guidance, refer to KB: https://knowledge.broadcom.com/external/article/316596/.
Additional Information
- If an existing identity source exists with the same domain, that identity source will have to be removed before configuring an LDAPS identity source.
- If updating or replacing the SSL certificate, the identity source must be removed and re-added.
- If the "Username" used during the addition of the Identity Source becomes locked, disabled, or has an expired password, AD user logins to vCenter will fail. The task must be redone, and the AD username and password should be updated.
- Ensure the account being used to add the identity source is not in a restricted AD group, such as the Protected Users group .
Feedback
