This knowledge based article is to understand how AD FS works with the vCenter. 

VMware vCenter Server 8.x

Using LDAP over LDAPS just in the case of not wanting to update the DC certificate once every 1 or 2 years is not a good idea and not recommended.

As per Configure vCenter Server Identity Provider Federation for AD FS, by design LDAPS is needed to configure AD FS.

ADFS configuration setup LDAPS URLs to allow vCenter to query the users and groups in AD.

The vCenter logins consist of 2 parts now, Authentication and Authorization.

Authentication can be done via reroute to ADFS, which then confirms that the user credentials are accurate.

But Authorization needs the vCenter to be able to lookup if the user does have proper permissions to access vCenter, and if it's a member of any AD group that have permissions in the vCenter which is done via LDAPS queries.