Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Adding a vCenter Single Sign On Active Directory Identity Source fails with the LDAP error: The server requires binds to turn on integrity checking (2035934)

Symptoms

  • Cannot add a vCenter Single Sign On (SSO) Active Directory Identity Source
  • Adding an Active Directory Single Sign On Identity Source with a Primary Server URL starting with ldap:// or ldaps:// fails
  • Test Connection fails with one of these errors:

    • [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]

    • simple bind failed

Cause

This issue occurs if the Active Directory Domain is configured with a Group Policy that requires all LDAP connections to be secured with SSL (ldaps required) and the Domain controller: LDAP server signing requirements policy is set to Require signing.

A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.

Resolution

To resolve this issue:

  1. Log in to the vSphere Web Client using the Admin@System-Domain credentials.
  2. Browse to Administration > Sign-On and Discovery > Configuration in the vSphere Web Client.
  3. Open the Edit Identity Source by right-clicking on the dialog of the Identity Source you want to edit.
  4. Change the URL from ldap://... to ldaps://...

    A Choose Certificate button appears below the settings.

  5. Click Choose Certificate.
  6. Select the correct .cer Root CA certificate of your AD/OpenLdap Identity Source.
  7. Click Test Connection.
  8. Click OK.

Additional Information

To Configure an Active Directory Domain for LDAP over SSL (LDAPS), see the Microsoft TechNet article LDAP over SSL (LDAPS) Certificate.

To obtain the trust certificate for use with SSO, see the Exporting the LDAPS Certificate and Importing for use with AD DS section of LDAP over SSL (LDAPS) Certificate.

Note: The preceding links were correct as of November 21, 2012. If you find a link is broken, provide feedback and a VMware employee will update the link.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 21 Ratings
Actions
KB: