"A vCenter Single Sign-On service error occurred", Unable to add or create an AD over LDAP Identity source with SSL protection enabled in vCenter Server 6.5/6.7
search cancel

"A vCenter Single Sign-On service error occurred", Unable to add or create an AD over LDAP Identity source with SSL protection enabled in vCenter Server 6.5/6.7

book

Article ID: 317707

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • The vSphere Web Client displays this error:
A vCenter Single Sign-On service error occurred
  • After an upgrading vCenter Server 6.0 to 6.5 editing a AD over LDAP or OpenLDAP Identity source fails if SSL protection is selected.
  • The AD over LDAP or OpenLDAP Identity source has connect to any domain controller in the domain selected or two LDAPS servers are provided.
  • With a single LDAPS server the issue does not occur.

    Note: If a loadbalancer is used with multiple LDAPS servers the issue may occur as well.
  • After a fresh installation of vCenter Server 6.5 adding a AD over LDAP or OpenLDAP Identity source fails if SSL protection is selected.
  • In the ssoAdminServer.log file, there are entries similar to:
[<YYYY-MM-DD>T<time>.849Z pool-9-thread-6 opId=########-####-####-####-########91c4 ERROR com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Exception occurred: 'com.vmware.identity.idm.</time>
InvalidArgumentException: 'IdentityStore certificates' value should not be empty'; stack='com.vmware.identity.idm.InvalidArgumentException: 'IdentityStore certificates' value should not be empty
at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:121)
at com.vmware.identity.idm.server.IdentityManager.addProvider(IdentityManager.java:9479)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
 



Resolution

This is a known issue affecting vCenter Server 6.5 & 6.7.
This issue is resolved in:



Workaround:

To workaround this issue:
  1. Disable SSL support for LDAP. This works with two LDAP servers with the option connect to any domain controller in the domain.

    Note: Disabling SSL may impose a security risk as all information is transmitted in plain text.
     
  2. Configure the Identity source to use non-encrypted LDAP using these settings:
     
    • To use any available domain controller in your domain:
      1. Select "Connect to any domain controller in the domain"
      2. Do not tick "Protect LDAP communication using SSL certificate (LDAPS)"
    • To use 2 dedicated domain controllers in your domain:
      1. Select "Connect to specific domain controllers".
      2. As Primary and Secondary server URL use:
      3. If the domain controller is a Global Catalog Server: LDAP://<domain_controller1_fqdn>:3268
      4. If the domain controller is not a Global Catalog Server: LDAP://<domain_controller1_fqdn>:389
      5. Do not tick "Protect LDAP communication using SSL certificate (LDAPS)”
         
  3. Only provide a single LDAPS server. This requires that the LDAP server is manually provided (rather than using the option "connect to any domain controller in the domain").
     
    1. Select "Connect to specific domain controllers".
    2. As Primary server URL use:
      1. If the domain controller is a Global Catalog Server: LDAPS://<domain_controller_fqdn>:3269
      2. If the domain controller is not a Global Catalog Server: LDAPS://<domain_controller_fqdn>:636
    3. Do NOT provide a Secondary server URL.
    4. Tick "Protect LDAP communication using SSL certificate (LDAPS)"
    5. In "3 Provide certificates" provide the SSL certificate of the domain controller used.
    6. Run the command to gather the SSL certificate information from any Domain Controller desired: # openssl s_client -connect <domain_controller_fqdn>:636 -showcerts
    7. When the openssl connect command completes, the full contents of the SSL certificate are displayed. The certificate chain appears similar to:

      Certificate chain
      0 s:/CN=DC3.example.com
      i:/DC=com/DC=example/CN=cn
      -----BEGIN CERTIFICATE-----
      MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
      ..........
      ...snip...
      ..........
      TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
      -----END CERTIFICATE-----
      1 s:/DC=com/DC=example/CN=cn
      i:/CN=BRM-ROOT-CA
      -----BEGIN CERTIFICATE-----
      MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
      ..........
      ...snip...
      ..........
      N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
      -----END CERTIFICATE-----
       
    8. The top most certificate in this chain is the certificate of the domain controller.
    9. Copy the complete string including -----BEGIN CERTIFICATE----- until (including) -----END CERTIFICATE----- into a text file.
    10. Remove any additional characters after -----END CERTIFICATE-----.
    11. Save that file as .cer.
    12. Add this file to the identity source.



Additional Information

Powered by Wolken Software