Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to configure an Identity Source in vCenter Single Sign-On (SSO) to use a secured LDAP over SSL (LDAPS) connection. This is appropriate in secure environments to encrypt all LDAP traffic in between vCenter Server and the authorizing Identity Source.

Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server 5.1.x
VMware vCenter Server Appliance 6.7.x

Resolution

Caution: This article provides a general how-to guide. Consult with the Directory Administrators in your organization for specific procedures.

For information on configuring the LDAP server to use SSL, see the Microsoft article LDAP over SSL (LDAPS) Certificate .
The steps in this article assume that the Domain Controller in question has a valid certificate available and that this certificate has been exported. See the Microsoft article linked above for more details.

Refer to the VMware documentation here for further information relating to implementing Active Directory over LDAPs

To configure an Identity Source in vCenter Single Sign On to use a secured LDAPS:

1) Log in to the vSphere Web Client using an Single Sign On Administrator.

2) Under Menu, select Administration > Configuration > Identity Sources

3) Click Add and select Active Directory over LDAP to configure a new source

4) Enter the required information in the Add Identity Source wizard (Active Directory over LDAP)

Ensure that you add specific LDAPs url(s).
Click on Browse next to "Certificates (For LDAPS)" and select the certificates that were exported from the domain controllers specified in the LDAPs URL(s). Refer to LDAP over SSL (LDAPS) Certificate for more details

Note: The correct certificate (for LDAPs) to select would be the direct CA signer of the AD server.
Note: There should be NO SPACE in the "Domain Alias" field as the identity source name is a unique identifier and should be kept as unique as possible.

5) Click on Add and the new source will be listed in the client

Additional Information

Important Information about configuring an LDAPS identity source

VMware Skyline Health Diagnostics for vSphere - FAQ
If an existing identity source exists with the same domain, that identity source will have to be removed prior to configuring an LDAPS identity source.
If you are updating or replacing the SSL certificate the identity source will need to be removed & re-added.
If the "Username" used during adding Identity Source gets locked/disabled/password expired; then the AD user login's to vCenter would fail. You have to redo the task and update the AD username and password again.
Ensure the account being used to add the identity source is not in a restricted AD group, such as the Protected Users group .

vSphere includes anopenssl binary located at C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.

Run the command to gather the SSL certificate information from any Domain Controller desired:

# openssl s_client -connect dc#.domain.com:636 -showcerts

When the openssl connect command completes, the full contents of the SSL certificate are displayed. The root certificate appears similar to:

Certificate chain
0 s:/CN=DC3.domain.com
i:/DC=com/DC=domain/CN=BRM-CA
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
..........
...snip...
..........
TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
-----END CERTIFICATE-----
1 s:/DC=com/DC=domain/CN=BRM-CA
i:/CN=BRM-ROOT-CA
-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
..........
...snip...
..........
N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
-----END CERTIFICATE-----

Insert the entire root certificate section of openssl output into a .cer file.

Note: When snipping text, include the BEGIN and END lines for the last certificate.