VMware vCenter 6.x
VMware vCenter 7.x
VMware vCenter 8.x

1. Caution: This article provides a general how-to guide. Consult with the Directory Administrators in your organization for specific procedures.

   
   For information on configuring the LDAP server to use SSL, see the Microsoft article LDAP over SSL (LDAPS) Certificate .
   The steps in this article assume that the Domain Controller in question has a valid certificate available and that this certificate has been exported. See the Microsoft article linked above for more details.
   
   Refer to the Active Directory over LDAP and OpenLDAP Server Identity Source Settings documentation for further information relating to implementing Active Directory over LDAPs
   
    

   To configure an Identity Source in vCenter Single Sign On to use a secured LDAPS:
    
   1. If this is an ELM (Enhanced Linked Mode) environment, please only perform the following steps on a single vCenter, as the IdP configurations will replicate to the other linked vCenter servers.
   2. Take appropriate snapshot of VCSA VM.
      Note: If ELM, please make sure to take offline snapshots of all linked VCSA VMs before proceeding.
   3. Log in to the vSphere Web Client using an Single Sign On Administrator.
   4. Under Menu, select Administration > Configuration > Identity Sources
      
   5. Remove the existing Identity source
   6. Click Add and select Active Directory over LDAP to configure a new source
      
   7. Enter the required information in the Add Identity Source wizard (Active Directory over LDAP)
      1. Ensure that you add specific LDAPs url(s).
      2. Click on Browse next to "Certificates (For LDAPS)" and select the certificates that were exported from the domain controllers specified in the LDAPs URL(s). Refer to LDAP over SSL (LDAPS) Certificate for more details.
      3. The hostname specified in the connection string must be listed in the Domain Controller's Subject Alternative Name (SAN), even if root certificates are provided.
         
         
   8. Click on Add and the new source will be listed in the client
      
   
   
   

Important Information about configuring an LDAPS identity source

• VMware Skyline Health Diagnostics for vSphere - FAQ
• If an existing identity source exists with the same domain, that identity source will have to be removed before configuring an LDAPS identity source.
• If you are updating or replacing the SSL certificate the identity source will need to be removed & re-added. 
• If the "Username" used during adding Identity Source gets locked/disabled/password expired; then the AD user login's to vCenter would fail. You have to redo the task and update the AD username and password again.
• Ensure the account being used to add the identity source is not in a restricted AD group, such as the Protected Users group .

openssl s_client -connect dc#.domain.com:636 -showcerts

Certificate chain
0 s:/CN=DC3.example.com
i:/DC=com/DC=example/CN=BRM-CA
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
..........
...snip...
..........
TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
-----END CERTIFICATE-----
1 s:/DC=com/DC=example/CN=BRM-CA
i:/CN=BRM-ROOT-CA
-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
..........
...snip...
..........
N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
-----END CERTIFICATE-----