VMware vSphere

Hello everyone,

I'm currently working on a vCenter 8.0 setup and I'd like to integrate it with our existing Active Directory for user authentication. I noticed that Integrated Windows Authentication (IWA) is deprecated, so I assume LDAP or LDAPS is now the way to go.

Could someone explain the correct process for enabling Active Directory over LDAP/LDAPS in vCenter 8.0? Specifically, how do I obtain the required certificate and configure the identity source in the vSphere Client?

Any guidance would be much appreciated.
Thanks in advance!

------------------------------
- Nathanael Pacheco
System Admin, High Desert Tea House
Algodones, New Mexico
------------------------------

This is in the official documentation and also a separate KB below.  Instructions for exporting the certificate from a domain controller are there as well.

https://knowledge.broadcom.com/external/article/316596

-------------------------------------------

Original Message:
Sent: Sep 02, 2025 09:49 AM
From: Nathanael Pacheco
Subject: How to enable Active Directory / LDAP authentication in vCenter 8.0?

Hello everyone,

I'm currently working on a vCenter 8.0 setup and I'd like to integrate it with our existing Active Directory for user authentication. I noticed that Integrated Windows Authentication (IWA) is deprecated, so I assume LDAP or LDAPS is now the way to go.

Could someone explain the correct process for enabling Active Directory over LDAP/LDAPS in vCenter 8.0? Specifically, how do I obtain the required certificate and configure the identity source in the vSphere Client?

Any guidance would be much appreciated.
Thanks in advance!

------------------------------
- Nathanael Pacheco
System Admin, High Desert Tea House
Algodones, New Mexico
------------------------------

Go LDAPS so password don't get sent in plaintext.

From a shell you run this per system and capture what is between the -BEGIN and -END to file

openssl s_client -showcerts -connect dc.domain.com:636 /dev/null|openssl x509 -outform PEM

This KB best explains it. You need to get certs from the DCs you will use. We have multisite so picked a DC from each as a preventative measure.

https://knowledge.broadcom.com/external/article/316596

Chris Leblanc
Technical Analyst - VMware
VCP, MCSA, MCSE, PVTC, VCP-NV 2024

Chris.LeBlanc@dxcas.com<mailto:chris.leblanc@dxcas.com>
Desk: 250-405-4686

Advanced Solutions, a DXC Technology Company
1101 - 4464 Markham Street
Victoria, BC V8Z 7X8
http://www.dxcas.com<http: www.dxcas.com>


Original Message:
Sent: 9/2/2025 9:49:00 AM
From: Nathanael Pacheco
Subject: How to enable Active Directory / LDAP authentication in vCenter 8.0?

Hello everyone,

I'm currently working on a vCenter 8.0 setup and I'd like to integrate it with our existing Active Directory for user authentication. I noticed that Integrated Windows Authentication (IWA) is deprecated, so I assume LDAP or LDAPS is now the way to go.

Could someone explain the correct process for enabling Active Directory over LDAP/LDAPS in vCenter 8.0? Specifically, how do I obtain the required certificate and configure the identity source in the vSphere Client?

Any guidance would be much appreciated.
Thanks in advance!

------------------------------
- Nathanael Pacheco
System Admin, High Desert Tea House
Algodones, New Mexico
------------------------------
</http:></mailto:chris.leblanc@dxcas.com>

Hi,

You're correct, IWA is no longer supported in vCenter 8.0, and VMware recommends using AD over LDAP/LDAPS or Identity Federation. Here's how you can set it up with LDAPS:

1. Get the LDAPS certificate

   • SSH into your vCenter Server Appliance (or any system with OpenSSL installed).

   • Run: openssl s_client -showcerts -connect [LDAPS-Server]:636

   • Copy everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- into a text file, then save it as .crt.

   • Using the CA certificate is recommended, so you won't need to reconfigure if the LDAPS certificate changes.

2. Add the Identity Source in vCenter

   • Log in to the vSphere Client as an SSO administrator.

   • Go to Administration > Single Sign On > Configuration > Identity Provider > Identity Sources.

   • Click ADD and select Active Directory over LDAP.

   • Fill out the fields:

     • Identity source name: your domain name (e.g., mydomain.local).

     • Base DN for users/groups: e.g., DC=mydomain,DC=local.

     • Domain name: e.g., mydomain.local.

     • Domain alias: NetBIOS name (e.g., MYDOMAIN).

     • Username/Password: a domain account with at least read/browse permissions.

     • Connect to: choose "any domain controller" or specify static controllers on port 636 (LDAPS) or 3269 (global catalog).

   • Under Certificate, browse and upload the .crt file you exported.

   • Click ADD to finish.

3. Set permissions

   • Back under Identity Sources, select your AD domain and set it as the default.

   • Then go to Administration > Access Control > Global Permissions.

   • Add the AD users or groups you want (for example, as Global Administrator).

Once this is done, you should be able to log in with AD accounts. If anything fails, check the vCenter logs under /var/log/vmware/sso for troubleshooting.

Best regards.

-------------------------------------------

Pascal Carone

vExpert 2025
------------------------------