Re: vCenter 7 sLDAP

SSO_Root · ‎02-07-2023

Hi All,

I have a new vCenter server I’m trying to configure an identity source for.

However I get an error:

Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://sub.root.com:3269 ]; tenantName [vsphere.local], userName [username@ad.f1.com] Caused by: Can't contact LDAP server.

I have the certificate.

I can ping the server from the VCSA.

I can curl -v telnet to the server:

* Trying 01.01.01.01:3269...

* Connected to server.sub.root.com (01.10.01.1) port 3269 (#0)

If I try connect over standard LDAP, a message comes back that a stronger authentication is needed

Cannot configure identity source due to Failed to probe provider connectivity [URI: ldap://sub.root.com ]; tenantName [vsphere.local], userName [username@ad.f1.com] Caused by: Strong(er) authentication required.

Is there something I am missing?

The DNS for this server is on a different domain and am wondering if that is causing any issues?

maksym007 · ‎02-07-2023

The username does indeed need to be provided in either the principal name format (username@domain.name) or as a UPN.

Did you provide the certificate for the CA that signed your domain controller certificates?

SSO_Root · ‎02-08-2023

Right so, i was doing everything correctly, a firewall rule was blocking that I was unaware of.

maksym007 · ‎02-08-2023

Good to know that everything works.

A firewall should be checked too. Network admins have their own approach in that topic

libsu · ‎07-26-2023

I'm facing the same issue and would be curious to know what this firewall rule is, since telnet to 3269 is successful.

sscott4609 · ‎08-02-2023

having same/similiar problem. what was the firewall rule you found that fixed it?

Gizzie · ‎08-02-2023

vCenter server should be able to reach the LDAP server on ports 3269 (ldaps) and 389 (ldap)

libsu · ‎08-03-2023

Unfortunately this wasn't it. Telnet to both ports works from the appliance. Curious, as I now have three different customer vcenters that have started having this issue within a month or so.

Gizzie · ‎08-03-2023

What about port 636? Also needed for LDAPS

libsu · ‎08-04-2023

Yup, that works fine as well.

Gizzie · ‎08-04-2023

Did you check if the LDAP server allows connections from the vCenter server?
Is the LDAP server in the same domain, or in another domain?

Brisk · ‎08-04-2023

Your domain controllers also need to be set up for LDAPS. It doesn't work out of the box. Make sure they have a certificate that matches the FQDN you're connecting on and they are listening on tcp/636

libsu · ‎08-08-2023

Well, of course it doesn't work out of the box. But as I've said earlier, LDAPS auth on these vcenters was working before (since I made the initial configurations around a year ago).

Regardless, it seems that editing the existing identity source doesn't work and will throw the error. Recreating the whole identity source with the same settings worked.