VMware Cloud Community
LucFullenwarth
Enthusiast
Enthusiast
‎09-27-2019 06:26 AM
Jump to solution

vCenter LDAP binding and signing

According to Microsoft, LDAP binding and signing will automatically be enforced on January 2020.

https://support.microsoft.com/en-ca/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

I have enabled LDAP logging on domain controllers.

Set-ItemProperty hklm:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics -Name '16 LDAP Interface Events' -Value 2

It appears that the vCenter is comming out in the "Directory Service" log with a lot of 2889 events:

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification),
or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Does anyone know how to make the vCenter (vSphere 6.7U3) use LDAP binding (No anonymous or Simple but SASL authentication) and signing?

Reply
22 Replies
rschmitz
Contributor
Contributor
‎03-03-2020 09:18 AM
Jump to solution

The news from Microsoft and the statement from VMware is delaying the inevitable.  The big question is how do we make this work with LDAPS on vcenter?  No one wants to have to deal with this again in the 2nd half of 2020.  Come on VMware...quit being so damn obscure.

I, too, can't seem to properly get the exported LDAPS cert from my DC (verified working LDAPS) to import into vCenter to even attempt an LDAPS bind.  Getting the dreaded  Check the network settings and make sure you have network access to the identity source.

Is there a trick to the cert needing to be imported?  I'm just exporting the LDAPS one from my DC.  Do we need a private key (pfx), or not (cer)?  Maybe that's incorrect...

Reply
0 Kudos
vXav
Expert
Expert
‎03-04-2020 01:03 AM
Jump to solution

The only thing VMware is being a little bit obscure about is the fact that Windows Integrated still generates 2889 events.

However it still works with channel binding and LDAP signing enabled.

This blog details very well how to retrieve the certificate.

You don't need the private key of course, just retrieve the certs on all DCs and add them to the identity source.


Blog - Linkedin
Reply
0 Kudos