"A vCenter Single Sign-On service error occurred", Unable to add or create an AD over LDAP Identity source with SSL protection enabled in vCenter Server 6.5/6.7
search cancel

"A vCenter Single Sign-On service error occurred", Unable to add or create an AD over LDAP Identity source with SSL protection enabled in vCenter Server 6.5/6.7

book

Article ID: 317707

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • The vSphere Web Client displays this error:
A vCenter Single Sign-On service error occurred
  • After an upgrading vCenter Server 6.0 to 6.5 editing a AD over LDAP or OpenLDAP Identity source fails if SSL protection is selected.
  • The AD over LDAP or OpenLDAP Identity source has connect to any domain controller in the domain selected or two LDAPS servers are provided.
  • With a single LDAPS server the issue does not occur.

    Note: If a loadbalancer is used with multiple LDAPS servers the issue may occur as well.
  • After a fresh installation of vCenter Server 6.5 adding a AD over LDAP or OpenLDAP Identity source fails if SSL protection is selected.
  • In the ssoAdminServer.log file, there are entries similar to:
[<YYYY-MM-DD>T<time>.849Z pool-9-thread-6 opId=2854ae5d-4df1-46c5-a177-5fc430f991c4 ERROR com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Exception occurred: 'com.vmware.identity.idm.</time>
InvalidArgumentException: 'IdentityStore certificates' value should not be empty'; stack='com.vmware.identity.idm.InvalidArgumentException: 'IdentityStore certificates' value should not be empty
at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:121)
at com.vmware.identity.idm.server.IdentityManager.addProvider(IdentityManager.java:9479)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
 


Resolution

This is a known issue affecting vCenter Server 6.5 & 6.7.
This issue is resolved in:


Workaround:
To workaround this issue:
  1. Disable SSL support for LDAP. This works with two LDAP servers with the option connect to any domain controller in the domain.

    Note: Disabling SSL may impose a security risk as all information is transmitted in plain text.
     
  2. Configure the Identity source to use non-encrypted LDAP using these settings:
     
    • To use any available domain controller in your domain:
      1. Select "Connect to any domain controller in the domain"
      2. Do not tick "Protect LDAP communication using SSL certificate (LDAPS)"
    • To use 2 dedicated domain controllers in your domain:
      1. Select "Connect to specific domain controllers".
      2. As Primary and Secondary server URL use:
      3. If the domain controller is a Global Catalog Server: LDAP://<domain_controller1_fqdn>:3268
      4. If the domain controller is not a Global Catalog Server: LDAP://<domain_controller1_fqdn>:389
      5. Do not tick "Protect LDAP communication using SSL certificate (LDAPS)”
         
  3. Only provide a single LDAPS server. This requires that the LDAP server is manually provided (rather than using the option "connect to any domain controller in the domain").
     
    1. Select "Connect to specific domain controllers".
    2. As Primary server URL use:
      1. If the domain controller is a Global Catalog Server: LDAPS://<domain_controller_fqdn>:3269
      2. If the domain controller is not a Global Catalog Server: LDAPS://<domain_controller_fqdn>:636
    3. Do NOT provide a Secondary server URL.
    4. Tick "Protect LDAP communication using SSL certificate (LDAPS)"
    5. In "3 Provide certificates" provide the SSL certificate of the domain controller used.
    6. Run the command to gather the SSL certificate information from any Domain Controller desired: # openssl s_client -connect <domain_controller_fqdn>:636 -showcerts
    7. When the openssl connect command completes, the full contents of the SSL certificate are displayed. The certificate chain appears similar to:

      Certificate chain
      0 s:/CN=DC3.domain.com
      i:/DC=com/DC=domain/CN=BRM-CA
      -----BEGIN CERTIFICATE-----
      MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
      ..........
      ...snip...
      ..........
      TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
      -----END CERTIFICATE-----
      1 s:/DC=com/DC=domain/CN=BRM-CA
      i:/CN=BRM-ROOT-CA
      -----BEGIN CERTIFICATE-----
      MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
      ..........
      ...snip...
      ..........
      N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
      -----END CERTIFICATE-----
       
    8. The top most certificate in this chain is the certificate of the domain controller.
    9. Copy the complete string including -----BEGIN CERTIFICATE----- until (including) -----END CERTIFICATE----- into a text file.
    10. Remove any additional characters after -----END CERTIFICATE-----.
    11. Save that file as .cer.
    12. Add this file to the identity source.


Additional Information

The vCenter Single Sign-On server failed to connect to or failed to authenticate to the service at the specified URL
"There is already a native AD IDS or LDAP AD IDS registered", Unable to disjoin/leave vCenter Server Appliance from Active Directory Domain
'Failed to check the status of VMware Directory Service' error while upgrading vCenter Server 6.7
"Cannot load the users for the selected domain / Error while extracting local SSO users", Unable to add Active Directory users or groups to vCenter Server Appliance or vRealize Automation permissions
"Setup failed to generate the SSL keys necessary to run VMware Server" when installing VMware Workstation

Powered by Wolken Software