Active Directory LDAPS Configuration Fails with "Failed to probe provider connectivity" due to LDAPs certificate not being received by vCenter
search cancel

Active Directory LDAPS Configuration Fails with "Failed to probe provider connectivity" due to LDAPs certificate not being received by vCenter

book

Article ID: 414872

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When trying to Add an Identity Source using Active Directory over LDAPs, operation fails with Error:

    "Cannot configure identity source due to Failed to probe provider connectivity [URI:ldaps://<LDAP_Server_or_DC_FQDN/IP>:636 ]; tenantName [###.###], userName [cn=###,dc=###,dc=###] Caused by: Can't contact LDAP server"

  • Entries in the /var/log/vmware/sso/ssoAdminServer.log on the vCenter Server indicate an inability to establish proper communication with the LDAP server:

YYYY-MM-DDThh:mm:ss INFO ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [auditlogger] {\"user\":\"<vsphere_user>@<local_sso>\",\"client\":\"\",\"timestamp\":\"#####\",\"description\":\"Updating ldap identity source '<domain>:' details to
...
YYYY-MM-DDThh:mm:ss WARN ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://<LDAP_Server_or_DC_FQDN/IP>:636,<domainUser>@<domain>]
YYYY-MM-DDThh:mm:ss ERROR ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://<LDAP_Server_or_DC_FQDN/IP>:636] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
YYYY-MM-DDThh:mm:ss WARN ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [com.vmware.identity.idm.server.IdentityManager] Failed to probe provider connectivity [URI: ldaps://<LDAP_Server_or_DC_FQDN/IP>:636 ]; tenantName [<local_sso>], userName [<domainUser>@<domain>]
YYYY-MM-DDThh:mm:ss ERROR ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldaps://<LDAP_Server_or_DC_FQDN/IP>:636 ]; tenantName [<local_sso>], userName <domainUser>@<domain>]'
YYYY-MM-DDThh:mm:ss ERROR ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Failed to probe provider connectivity [URI: ldaps://<LDAP_Server_or_DC_FQDN/IP>:636 ]; tenantName [<local_sso>], userName [<domainUser>@<domain>]
YYYY-MM-DDThh:mm:ss INFO ssoAdminServer[##:pool-#-thread-#] [OpId=###-###-###] [com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] Failed to probe provider connectivity [URI: ldaps://<LDAP_Server_or_DC_FQDN/IP>:636 ]; tenantName [<local_sso>], userName [<domainUser>@<domain>]

  • External DNS servers configured on the vCenter Server successfully resolve the forward and reverse DNS lookup of the domain name and the LDAP server:

root@<vcenter> [ ~ ]# nslookup <AD_server_fqdn/domain>
Server:         <DNS_server_fqdn>
Address:        <DNS_server_IP>
Name:   <AD_server_fqdn/domain>
Address: <AD_server/domaincontroller_IP>

root@<vcenter> [ ~ ]# nslookup <AD_server/domaincontroller_IP>
Server:         <DNS_server_fqdn>
Address:        <DNS_server_IP>
<AD_server/domaincontroller_IP>.in-addr.arpa      name = <AD_server_fqdn/domain>

  • Attempting to query the AD server using openssl command from the vCenter Server shows the LDAP server certificates are not reaching the vCenter despite and LDAPS port 636 being open:

    root@<vcenter> [ ~ ]# openssl s_client -connect <AD_server/domaincontroller_fqdn_or_IP>:636 -showcerts
    CONNECTED(00000003)
    write:errno=104
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 314 bytes
    Verification: OK

  • LDAP server is verified to possess a valid certificate by executing the same openssl query from an alternate node (e.g., another vCenter Server or a client in a different network segment) where in the certificate chain is received by the client node confirming that the LDAP service is functioning correctly:

    root@alternate-node [ ~ ]# openssl s_client -connect <AD_server/domaincontroller_fqdn_or_IP>:636 -showcerts
    CONNECTED(00000003)
    depth=1 DC = ####### CN = #####
    verify return:1
    ---
    Certificate chain
    0 s:CN = #######
      i:DC = #######, CN = #######
    ---

Cause

This issue can occur when vCenter server is not receiving the LDAPs server certificates to establish a proper communication which can be further verified by executing a packet capture on the vCenter Server for port 636 to verify the traffic behavior using the following command:

tcpdump -i eth0 -w /tmp/ldap_trace.pcap port 636

Reviewing the packet capture and filtering by the LDAP server IP address would show that the vCenter Server sends the Client Hello but does not receive a Server Hello or associated certificates.

Resolution

This is not a Broadcom issue as it is environmental and falls outside the vSphere stack.

Engage your network administration team to investigate every hop and resolve packet blockage or packet size limitations due to firewall, etc on the network path between the Domain Controller and the vCenter Server.

Additional Information

Cannot configure Active directory over ldap identity source with error: "Failed Probe Provider Connectivity"

Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

Active Directory over LDAP and OpenLDAP Server Identity Source Settings

Powered by Wolken Software