Adding identity provider in SDDC manager fails with the error " Failed to create/update embedded identity source. identity bad request"
search cancel

Adding identity provider in SDDC manager fails with the error " Failed to create/update embedded identity source. identity bad request"

book

Article ID: 420698

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • Adding AD over LDAP in SDDC manager fails with the error message : "Failed to create/update embedded identity source. identity bad request".


  • We see below error message in vcf-commonsvcs.log present in var/log/vmware/vcf/commonsvcs
    YYYY-MM-DDTHH:MM:SS.824+0300 ERROR [common,d35bff1c456a4b5d,f0e8] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-68] [RR02NT] IDENTITY_PROVIDER_BAD_REQUEST Identity Bad request
    com.vmware.evo.sddc.identity.rest.api.error.IdentityProviderBadRequestException: Identity Bad request
            at com.vmware.evo.sddc.identity.rest.api.controller.v1.IdentityProviderController.addEmbeddedIdentitySource(IdentityProviderController.java:159)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    .
    .
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
            at java.base/java.lang.Thread.run(Thread.java:840)
    Caused by: com.vmware.vim.sso.admin.exception.DirectoryServiceConnectionException: Failed to probe provider connectivity [URI: ldap://IPofLDAPServer:389 ]; tenantName [vsphere.local], userName [ssuc\svcadmin]
    Caused by: Strong(er) authentication required
            at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:147)
            at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:248)
            at com.vmware.vim.sso.admin.client.vmomi.impl.IdentitySourceManagementImpl.registerLdap(IdentitySourceManagementImpl.java:98)
            at com.vmware.evo.sddc.identity.services.IdentityProviderServiceImpl.addEmbeddedIdentitySource(IdentityProviderServiceImpl.java:986)

Environment

VMware Cloud Foundation 5.2

Cause

The "Strong(er) authentication required is a direct error message originating from the Active Directory server, it explicitly signifies that the Active Directory server demands a stronger authentication method. Given that we are trying to configure SDDC manager for "Active Directory over LDAP" (which typically implies an unencrypted, non-SSL/TLS LDAP connection), this error directly indicates a mismatch between the SDDC manager's client-side authentication method and the Active Directory server's enforced security policies https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a

Resolution

Change the domain controller setting as following to use LDAP:

Computer Configuration > Policies > Security Settings > Local Policies > Security Options.

Domain controller: LDAP server channel binding token requirements – “When Supported”
Domain controller: LDAP server signing requirements – “None”
Domain controller: LDAP server signing requirements Enforcement – “Disabled”
Network security: LDAP client encryption requirements – “Negotiate Sealing”
Network security: LDAP client signing requirements – “Negotiate Signing” 

Once configured, reboot the AD server and then add the Identity provider in SDDC manager. 

Powered by Wolken Software