VMware Cloud Community
pricemc1
Enthusiast
Enthusiast
Jump to solution

Need help troubleshooting LDAPS configuration on vCenter 8

I am trying to configure an identity source in vCenter 8 using LDAPS with Active Directory on a new vCenter 8 implementation. I have been able to do this successfully many times in the past on vCenter 7 instances so I'm familiar with the procedure and requirements. This is my first time doing it though on a vCenter 8 VCSA, but nothing really looks different than how it was done in earlier versions.  Unfortunately, I seem to be running into some issues when I try to add the identity source using LDAPS. Adding it using standard LDAP works fine though.  I am receiving the following error when trying to configure the identity source for LDAPs though:

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://domainl ]; tenantName [vsphere.local], userName [User] Caused by: Can’t contact LDAP server."

For troubleshooting I have done the following:

  • I was able to contact and query the LDAP servers (Windows Server 2022 DCs) using 'ldp.exe' to test LDAPS from Windows clients that I tested from.  I was able to bind and authenticate using the domain account credentials I specified in the identity source configuration.
  • I was able to confirm that the LDAPS servers are presenting the correct certificate by using Openssl to display the certificates being presented on port 636/3269.
  • I was also able to verify network connectivity and proper name resolution from the VCSA to the LDAPs servers from the VCSA CLI using 'ping', 'dig', and 'nslookup'. Both forward and reverse lookups seem to be fine from the VCSA and Windows servers. All of these systems are on the same network. There is no router or firewall between any of them (other than OS level firewalls built into Windows and VCSA).
  • When I ran 'ldapsearch' command from the VCSA's CLI it returns the no errors that indicate LDAPS is not working when being queried.
  • I confirmed that the CA certificates for the CAs that issued the LDAPS certificates to the Windows servers have been added to the trusted list in vCenter.

I'm thinking my next troubleshooting step should be to review any relevant VCSA log files that would have detailed information on what is going on when I try to add the LDAPS identity source. I'm not sure what log files I should be checking though. If anyone can point me to the correct logs or has some additional troubleshooting advice it would be greatly appreciated.

 

Thanks in advance,

Mike

 

Reply
0 Kudos
1 Solution

Accepted Solutions
Ajay1988
Expert
Expert
Jump to solution

Okay..So no issues with ports . Seems I missed checking the first update ....

So you are able to add with ldap. only ldaps is giving issues . 
This is surely with the certs.
Can you get the certs duration for less validity ? Keep it expiring before 2049 and check.

I recall we had an issue with more than 20 yrs cert in 6.5 and that was increased .  

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

Reply
0 Kudos
34 Replies
pricemc1
Enthusiast
Enthusiast
Jump to solution

Shocked that nobody has been able to reply to this request. Is there something that I need to make more clear to get help for it?

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

Can you confirm that you've specified the LDAPS server(s) under "Specific domain controllers"?
"Any domain controller in the domain" will not work with LDAPS.

André

Reply
0 Kudos
RajeevVCP4
Expert
Expert
Jump to solution

are you able to ping LDAP server from VCSA putty 

Rajeev Chauhan
VCIX-DCV6.5/VSAN/VXRAIL
Please mark help full or correct if my answer is use full for you
Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

Yes, I am able to ping the AD DCs directly from the VCSA's CLI that I am attempting to use for VCSA LDAPS lookups. They are in fact on the same subnet as the VCSA.

Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

I have specified the specific AD domain controllers I want to use for LDAPS lookups. What is so odd is that the only error I can find in the logs and in web interface  is:

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://ad01dc01.ad1.lab:3268 ]; tenantName [ad1lab.local], userName [svc_ldaps@ad1.lab] Caused by: Can't contact LDAP server."

I know it is contacting the server though because if I enter invalid credentials for the account to be used for the LDAP lookup I get this error: 

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldap://ad1.lab:3268 ]; tenantName [ad1lab.local], userName [svc_ldaps@ad1.lab] Caused by: Invalid credentials."

If it really couldn't contact the LDAP server then it wouldn't be reporting invalid credentials when I try an incorrect password versus when I try the correct password and it reports that it can't contact the LDAP server.

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

>>> tenantName [ad1lab.local], userName [svc_ldaps@ad1.lab]
Can you confirm that this is correct? ad1lab.local vs. ad1.lab?

André

Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

"ad1lab.local" is my vsphere SSO domain name that the VCSA is configured for. There are no other VCSA's that are part of the SSO environment.

"ad1.lab" is the Active Directory name the Identity Source will perform LDAPS lookups from. I have a user level service account named "svc_ldaps" that is used for the LDAP lookups from vCenter. This account and its password works just fine when the identity source is configured for standard LDAP instead of LDAPS. It seems to me to me that the values for tenant and username as shown in the error are correct since they would be the same when using LDAP.

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

I just saw that you try to connect on port 3268 instead of 3269.

André

Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

Sorry when I copied that I had been testing all the various LDAP/LDAPS related ports just to be thorough and I copied in the wrong results. I did get the same results though when using 3269 and 636. See below:

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://ad01dc01.ad1.lab:3269 ]; tenantName [ad1lab.local], userName [svc_ldaps@ad1.lab] Caused by: Can't contact LDAP server."

 

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://ad01dc01.ad1.lab:636 ]; tenantName [ad1lab.local], userName [svc_ldaps@ad1.lab] Caused by: Can't contact LDAP server."

Reply
0 Kudos
hwelvaar
Contributor
Contributor
Jump to solution

Was struggling with this as well.  For my issue, the solution was to export the certificates from the DCs in base-64 format instead of DER format.  (both formats export as .CER file)

Then I could specify those certificates, without error, as certificates with LDAPs connection to domain controllers.

Also, just for info,  I tested and you need to specify FQDN  for the DCs, and not just the IP address.

Reply
0 Kudos
andrew789
Contributor
Contributor
Jump to solution

Hi

I'm not sure this will help but these guys had the same error message - Migrate from Active Directory Integrated Windows Authentication VMware vSphere 7.0 – TheSleepyAdmins

Regards

 

Andrew

 

Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

Thanks for your suggestions. The certs I was using were in Base64 format and I always use the FQDN as well so unfortunately neither of those are the the issue in this case. 

Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

I took a look at the link you provided and I didn't see anything there that mentioned the error I am seeing. Are you sure this was the correct link?

 

Reply
0 Kudos
SureshKumarMuth
Commander
Commander
Jump to solution

Do you have any identity source created already using AD Integrated Windows Authentication ? or this is the first one you are trying to create using ldaps ? If you have IWA type identity source already, then try to remove that and add an ldaps based Identity source.

Regards,
Suresh
https://vconnectit.wordpress.com/
Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

No, there has never been any IWA identity source configured. This is vSphere 8 so IWA is supposed to be deprecated in theory...

Reply
0 Kudos
SureshKumarMuth
Commander
Commander
Jump to solution

I can still see that option in the lab. Anyway, you can check this log file for detailed information 

/var/log/vmware/sso/ssoAdminServer.log

 

 

Regards,
Suresh
https://vconnectit.wordpress.com/
Reply
0 Kudos
pricemc1
Enthusiast
Enthusiast
Jump to solution

Thanks for the log location. I did a quick test again and then checked the log you mentioned to see what was there. I copied the stuff at the end of the logs into the attached file that shows the errors being reported. Pretty much as shown in the GUI it seems to just indicate that it can't contact the LDAP server.

The only thing I noticed beyond that was an error relating to validating the expiration date of the certificate for the LDAP server I used. I'm not sure why it would have any issues with that though. The server's LDAP cert is issued by a CA that the vCenter server trusts and the expiration date on the server's cert is 3/18/2053 so its clearly not expired. The Root CAs expiration date is 3/5/2063 and the issuing  intermediate CA's expiration is 3/5/2058 so they are not expired either.

 Maybe you can find something in the log that I am missing...

Reply
0 Kudos
SureshKumarMuth
Commander
Commander
Jump to solution

Could you please also check this log for related info

vmware-identity-sts.log

Regards,
Suresh
https://vconnectit.wordpress.com/
Tags (1)
Reply
0 Kudos
SureshKumarMuth
Commander
Commander
Jump to solution

I am seeing two errors

1. Java exception , unparseable date. Not sure if this is the contributing factor of this issue, in that case code fix might be needed, only vmware can help here

2023-06-06T02:13:13.851Z ERROR ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Error when trying to parse validity date
java.text.ParseException: Unparseable date: "20530319022108Z"

2. After the above exception, I can still see the process goes on and failed with following error

2023-06-06T02:13:13.868Z WARN ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1
2023-06-06T02:13:13.868Z WARN ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://ad01dc01.ad1.lab:3269, svc_ldaps@ad1.lab]
2023-06-06T02:13:13.869Z ERROR ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://ad01dc01.ad1.lab:3269] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable

 

It looks like a connectivity issue but you have already confirmed no firewall in place and the same machine with ldap works fine. Since it is not working for ldaps connection might be something due to the certs but could not derive anything.

Lets check vmware-identity-sts.log to see if we get any messages there.

Can you run nc command on VCSA and check if the connections are fine on ports related to ldaps, just to double check. 

Regards,
Suresh
https://vconnectit.wordpress.com/
Reply
0 Kudos