vCenter

 View Only
Expand all | Collapse all

vCenter 7 sLDAP

  • 1.  vCenter 7 sLDAP

    Posted Feb 07, 2023 02:07 PM

    Hi All,

    I have a new vCenter server I’m trying to configure an identity source for.

    However I get an error:

    Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://sub.root.com:3269 ]; tenantName [vsphere.local], userName [username@ad.f1.com] Caused by: Can't contact LDAP server.

    I have the certificate.

    I can ping the server from the VCSA.

    I can curl -v telnet to the server:

    *   Trying 01.01.01.01:3269...

    * Connected to server.sub.root.com (01.10.01.1) port 3269 (#0)

    If I try connect over standard LDAP, a message comes back that a stronger authentication is needed

    Cannot configure identity source due to Failed to probe provider connectivity [URI: ldap://sub.root.com ]; tenantName [vsphere.local], userName [username@ad.f1.com] Caused by: Strong(er) authentication required.

    Is there something I am missing?

    The DNS for this server is on a different domain and am wondering if that is causing any issues?



  • 2.  RE: vCenter 7 sLDAP

    Posted Feb 07, 2023 04:59 PM

    The username does indeed need to be provided in either the principal name format (username@domain.name) or as a UPN.

    Did you provide the certificate for the CA that signed your domain controller certificates? 

     
     


  • 3.  RE: vCenter 7 sLDAP

    Posted Feb 08, 2023 01:56 PM

    Right so, i was doing everything correctly, a firewall rule was blocking that I was unaware of. 



  • 4.  RE: vCenter 7 sLDAP

    Posted Feb 08, 2023 02:41 PM

    Good to know that everything works. 

    A firewall should be checked too. Network admins have their own approach in that topic



  • 5.  RE: vCenter 7 sLDAP

    Posted Jul 27, 2023 05:20 AM

    I'm facing the same issue and would be curious to know what this firewall rule is, since telnet to 3269 is successful.



  • 6.  RE: vCenter 7 sLDAP

    Posted Aug 02, 2023 04:41 PM

    having same/similiar problem. what was the firewall rule you found that fixed it?



  • 7.  RE: vCenter 7 sLDAP

    Posted Aug 02, 2023 04:47 PM

    vCenter server should be able to reach the LDAP server on ports 3269 (ldaps) and 389 (ldap)



  • 8.  RE: vCenter 7 sLDAP

    Posted Aug 04, 2023 06:37 AM

    Unfortunately this wasn't it. Telnet to both ports works from the appliance. Curious, as I now have three different customer vcenters that have started having this issue within a month or so.



  • 9.  RE: vCenter 7 sLDAP

    Posted Aug 04, 2023 06:52 AM

    What about port 636? Also needed for LDAPS



  • 10.  RE: vCenter 7 sLDAP

    Posted Aug 04, 2023 07:00 AM

    Yup, that works fine as well.



  • 11.  RE: vCenter 7 sLDAP

    Posted Aug 04, 2023 07:33 AM

    Did you check if the LDAP server allows connections from the vCenter server? 
    Is the LDAP server in the same domain, or in another domain? 



  • 12.  RE: vCenter 7 sLDAP

    Posted Aug 04, 2023 07:38 AM

    Your domain controllers also need to be set up for LDAPS. It doesn't work out of the box. Make sure they have a certificate that matches the FQDN you're connecting on and they are listening on tcp/636



  • 13.  RE: vCenter 7 sLDAP

    Posted Aug 08, 2023 07:28 AM

    Well, of course it doesn't work out of the box. But as I've said earlier, LDAPS auth on these vcenters was working before (since I made the initial configurations around a year ago). 

    Regardless, it seems that editing the existing identity source doesn't work and will throw the error. Recreating the whole identity source with the same settings worked. 



  • 14.  RE: vCenter 7 sLDAP

    Posted Dec 14, 2023 02:04 PM

    Same for me. This had been running about checking certs, credentials and all sorts of things.
    It turns out it was all correct. It's the edit function that is broken in vSphere.
    Removed the old Identity Source, and added a new works