Topic Name : Active Directory LDAP Server Identity Source Settings
Product/Version : VMware vSphere/6.7 Appliance
Question :
Want to add new identity source with LDAPS to our Active Directory Server. But all i tried failed.
At the moment we use windows integrated active directory setting to the same windows domain.
A check with curl to the needed ips and ports from appliance ssh root user was ok.
I get this error: Check the network settings and make sure you have network access to the identity source.
Also ports are open and firewall settings on windows were ok. ldp.exe is running on windows with port 636 and i can access and
bind with a user account.
Can someone help?
Greets Marko
for adding new identity source make sure you use administrator@vaphere.local
Yes sure i used local vsphere administrator account.
Greets Marko
For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAPand 3269 for LDAPS.Can you check are you using correct port
Ok i tried with 3269. But i get the same error message.
Greets Marko
can you check with a single dc on port 369 or 636?. if that works you have problems with the global catalog
hello bewe,
i also tried port 389 and 636. But it fails with the mentioned error.
greets Marko
ssh into the vcsa and try:
nc -vz <domainname> 3268
or
nc -vz <domaincontroller> 636
and see if ports can connect from vcsa
ok then you have problems to connect with the global catalog.
you can check this also with lpd.exe - with domain- or subdomainname and port 3268/9
Picture is not loading.
I can connect to port 3268. No problem with global catalog.
Greets Marko
then please try to add the sourcee again and watch the /var/log/vmware/sso/ssoAdminServer.log for errors
ok tried.. but no entry in the log file.
Greets Marko
is your vcsa domainmember ?
is the name for sso domain different from ad-domainname?
please check ntp settings on ad and vcsa
please check dns and reverse lookup for ad and vcsa
Hello bewe,
vcsa is a domainmember.
sso domain and ad domain are the same.
ntp settings...
Thu May 14 13:02:49 UTC 2020 vcsa
Donnerstag, 14. Mai 2020 15:02:44 windows dc
dns settings seem to be correct i can resolve ips.
Greets Marko
sso-domain and ad-domain should not be the same - that seems your problem.
just to clarify: your vcsa ist domainmember and has a name like vcsa.domain.local
in the vami of the appliance in the summary tab you see on the right side the single sign-on domain - this should be different to your ad-domain
ok - thats correct, there you havent made a mistake.
no - if you want to change from integrated windows authentication to ldap you only have to remove the authentication source first - two entries for the same domain is not allowed.
the vcsa remains domainmeber, just remove the autheticationsource and add it as ldap-type.
be sure to use the administrator@vsphere.local account for this action
@berndweyand thank you chabón.
We've been working on this for a while now, after removing the Integrated Windows Authentication identity the new LDAPS identity source was completed.
Best regards!