JLDouglas
Contributor
Contributor

VCenter " Authorize Exception" Error when trying to connect

I'm having a problem with our VCenter server since changing out our 2 new Domain Controllers in the passed couple of days, when it was installed it bonded it self during the install to the ldap setting of the old DC's name, and since they now have different names it will not correlate for the SSO authentication to work properly to perform the "Use Windows Credentials" for the login from the vSphere Client locally from an system or over the vSphere Web Client?

And from what I have discovered is the ldap is pointing to the old server name of the DC and will not allow authentication to use any domain creds until this is modified?

How can I get this resolved so I can possibly modify the ldap string entry to point to the new DC naming convention which is handling the DC

Thanks in advance!

- Jeff

vCenter v5.1

11 Replies
DCSpooner
Enthusiast
Enthusiast

you can log into the web client using the SSO admin@System-Domain account

and then go to Administration -> Sign-On and Discovery -> Configuration

then you will be able to edit the domain connection

JLDouglas
Contributor
Contributor

Thank you for leading me in that direction DCSpooner, totally forgot about that and I thankfully documented the whole setup process when I did it with that account/pw in there...

But it wouldnt allow me to just edit what was there, so I had deleted the entry and in the process of trying to add the ldap AD info back in and it keeps bombing on the entries provided and I'm adding the new server info as it was previously as it shows in the attachment, I have been instructed to just use ldap.domain.net for the server strings so it will auth to any server in the domain then.

I get this error of simple bind failed: ldap.domain.net:3269 at the top of the window after testing the connections and it will not add.

I tried putting int he actual server names and I get this error:

The "Add identity source" operation failed for the entity with the following error message.

  Invalid input data. Validation failed Fields with issues: PrimaryLdapUrl - Test failed. Unable to establish a connection to the directory Detail Cause: simple bind failed: SJHQSV-DC01.rngint.net:3269;SecondaryLdapUrl - Test failed. Unable to establish a connection to the directory Detail Cause: simple bind failed: HMHQSV-DC01.rngint.net:3269


Thanks!


Not sure where to go from here...

0 Kudos
DCSpooner
Enthusiast
Enthusiast

try port 3268,

from VMware vSphere 5.1

procedure 4 Primary Server URL

For Active

Directory multi-domain controller deployments, the port is typically 3268

0 Kudos
JLDouglas
Contributor
Contributor

negative ghost rider...

Port didnt help at this point

0 Kudos
DCSpooner
Enthusiast
Enthusiast

Temporally turn off your firewalls for the DCs and give it a try

also try ldap://FQDN:3268

0 Kudos
JLDouglas
Contributor
Contributor

you wont believe this... lol

it was something very simple, and I got looking at it thought why not, and removed the "S" from the ldap string thinking maybe its looking for a secure server connection as a webpage maybe...

lord and behold that was the cause, cause once I removed the "S" from the ldaps as it was by default... the Cert Box dissappeared and it allowed me to fully test the connection with no problems...

Appreciate your assistance here, was the first time using the forum and had a great quick response!

DCSpooner
Enthusiast
Enthusiast

i did not see in your image, at first, but when i took a second look i saw it.

and yes it was looking at your new DC as secure ldap.

0 Kudos
DCSpooner
Enthusiast
Enthusiast

so the over all answer is

you can log into the web client using the SSO admin@System-Domain account

and then go to Administration -> Sign-On and Discovery -> Configuration

and use in the server ldap URL "ldap://FQDN:3268" not "ldaps://FQDN:3268"

but you might want to look into using ldap secure (ldaps)

0 Kudos
JLDouglas
Contributor
Contributor

That is correct, I would imagine I could go back in there and change it to 3269 since the ports are so close to one another...

WIll mention it to my Domain Admins, is there a great benefit over it other than supplying a Cert for Authen. esp if its only being accessed internally!

0 Kudos
DCSpooner
Enthusiast
Enthusiast

3269 is for ldaps and 3268 for ldap

you will not be able to use 3269 unitl you get your ldap secure setup and in place.

0 Kudos
mtrento
Enthusiast
Enthusiast

Hi,

It happened the same thing to me. (removed old dc 2003 and replaced by 2008R2)

I tried to change the sso binding by reusing the same data and changing only the computer name. But got the "simple bind failed" message

So what i did after reading your post is to replace the ldaps by ldap , change the port to 3268 instead of 3269 (previous and working port) and use password authentication  username@domain

Thanks!