vCenter LDAP binding and signing

Jump to solution

According to Microsoft, LDAP binding and signing will automatically be enforced on January 2020.


I have enabled LDAP logging on domain controllers.

Set-ItemProperty hklm:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics -Name '16 LDAP Interface Events' -Value 2

It appears that the vCenter is comming out in the "Directory Service" log with a lot of 2889 events:

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification),
or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Does anyone know how to make the vCenter (vSphere 6.7U3) use LDAP binding (No anonymous or Simple but SASL authentication) and signing?

22 Replies

The news from Microsoft and the statement from VMware is delaying the inevitable.  The big question is how do we make this work with LDAPS on vcenter?  No one wants to have to deal with this again in the 2nd half of 2020.  Come on VMware...quit being so damn obscure.

I, too, can't seem to properly get the exported LDAPS cert from my DC (verified working LDAPS) to import into vCenter to even attempt an LDAPS bind.  Getting the dreaded  Check the network settings and make sure you have network access to the identity source.

Is there a trick to the cert needing to be imported?  I'm just exporting the LDAPS one from my DC.  Do we need a private key (pfx), or not (cer)?  Maybe that's incorrect...

0 Kudos

The only thing VMware is being a little bit obscure about is the fact that Windows Integrated still generates 2889 events.

However it still works with channel binding and LDAP signing enabled.

This blog details very well how to retrieve the certificate.

You don't need the private key of course, just retrieve the certs on all DCs and add them to the identity source.

0 Kudos