Haven’t you started using LDAPS for VMware vCenter Server? Hurry up!

How to better integrate IT security and IT strategy | CIO

January 2020, VMware informed their customers that LDAP and Integrated Windows Authentication Identity Stores, will cease functioning as Microsoft is disabling LDAP on Active Directory. Have you not yet configured this in your environment? Read on!

Where are you now?

So first of all, it’s important to know where you are standing. Log in to vCenter Server and open the Administration menu. Navigate to Single Sign On and click Configuration.

The following screen should pop up with all your configured Identity Stores.

I am using vCenter Server 6.7 in this example, so if you’re running a different version it might look slightly different.

In the screenshot above, the desired configuration is displayed. If your server URL is already displayed as ldaps://SERVERFQDN:636 – you’re already prepared for what’s coming. No need to follow any other steps!

If this is not the case for you, and it either displays a ldap:// address, or Windows Integrated Authentication, you need to start following the next steps.

Configure LDAPS on your Domain Controller(s)

First of all, you will need to have LDAPS configured on your Domain Controller(s). This can be done with a third-party SSL certificate, or a self-signed (local CA) certificate. I’ve only worked with third-party certificates, so follow THIS link to find a Microsoft KB article that explains to you how to activate and verify LDAPS on a Domain Controller.

Fetch the root certificate chain from vCenter Server

Now, SSH into your vCenter Server and run the following command:

openssl s_client -connect <domain_controller_fqdn>:636 -showcerts

This will output something like this:

Certificate chain
0 s:/CN=DC3.domain.com
i:/DC=com/DC=domain/CN=BRM-CA
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
..........
...snip...
..........
TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
-----END CERTIFICATE-----
1 s:/DC=com/DC=domain/CN=BRM-CA
i:/CN=BRM-ROOT-CA
-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
..........
...snip...
..........
N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
-----END CERTIFICATE-----

What you want to do, is capture the pieces between —–BEGIN CERTIFICATE—– (the first one) until the last —–END CERTIFICATE—–

Copy paste this content into a Notepad file, and save it as a *.cer file.

Prepare your vCenter Server for the repoint

Create a snapshot of your vCenter Server. Just in case something goes sideways.

Then, delete your existing Identity Store entry that points to your domain if that’s the Integrated Windows Authentication one. If it’s already a LDAP type, I assume you can simply edit it.

Make sure you are on this screen:

So now, you fill in all the blanks.

  • Name: Just an identifier for your domain, can be anything
  • Base DN for users: dc=domain,dc=com (or use a DN that’s more specific if you only want to include certain users in an OU)
  • Base DN for groups: same idea as with the users
  • Domain name: DOMAIN.COM
  • Domain alias: DOMAIN
  • Username: domainuser@domain.com (used to connect with AD)
  • Password: P@ssw0rd =)
  • Connect to: Specific domain controllers
  • Primary Server URL: ldaps://fqdn-of-server:636
  • Secondary Server URL: optional
  • SSL Certificates: Browse to the *.cer file you created before

So what I did until now, is configuring only one primary server URL. Pointing to a DNS record that has two entries, making it a Round-Robin configuration. You can of course choose a different approach.

Don’t forget to use the ldaps:// format and the port (636). If you only have one DC, the port should be 3269.

Click ADD to complete the wizard and set up the new Identity Store!

Verify and Troubleshooting

This should’ve all worked okay. Check if you can log into vCenter Server using an account in your Active Directory (make sure it has at least one set of permissions so you can click around in the inventory).

If you see an error message while adding the Identity Store, check the following things:

  • Did you delete the old Windows Integrated Authentication entry before adding this new one? It cannot add the same domain if it’s already there
  • Did you copy the right content for the *.cer file?
  • Did you use a FQDN format for the service account? So accountname@domain.com?
  • Don’t forget to use ldaps:// and the port (636 or 3269) when pointing to a server address

This should be everything! Don’t forget to clean up the snapshot you created before if everything is working okay. And please leave feedback and questions in the comments below!

Extra resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s