I am trying to configure an identity source in vCenter 8 using LDAPS with Active Directory on a new vCenter 8 implementation. I have been able to do this successfully many times in the past on vCenter 7 instances so I'm familiar with the procedure and requirements. This is my first time doing it though on a vCenter 8 VCSA, but nothing really looks different than how it was done in earlier versions. Unfortunately, I seem to be running into some issues when I try to add the identity source using LDAPS. Adding it using standard LDAP works fine though. I am receiving the following error when trying to configure the identity source for LDAPs though:
"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://domainl ]; tenantName [vsphere.local], userName [User] Caused by: Can’t contact LDAP server."
For troubleshooting I have done the following:
I'm thinking my next troubleshooting step should be to review any relevant VCSA log files that would have detailed information on what is going on when I try to add the LDAPS identity source. I'm not sure what log files I should be checking though. If anyone can point me to the correct logs or has some additional troubleshooting advice it would be greatly appreciated.
Thanks in advance,
Shocked that nobody has been able to reply to this request. Is there something that I need to make more clear to get help for it?
Can you confirm that you've specified the LDAPS server(s) under "Specific domain controllers"?
"Any domain controller in the domain" will not work with LDAPS.
are you able to ping LDAP server from VCSA putty
Yes, I am able to ping the AD DCs directly from the VCSA's CLI that I am attempting to use for VCSA LDAPS lookups. They are in fact on the same subnet as the VCSA.
I have specified the specific AD domain controllers I want to use for LDAPS lookups. What is so odd is that the only error I can find in the logs and in web interface is:
"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://ad01dc01.ad1.lab:3268 ]; tenantName [ad1lab.local], userName [email@example.com] Caused by: Can't contact LDAP server."
I know it is contacting the server though because if I enter invalid credentials for the account to be used for the LDAP lookup I get this error:
"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldap://ad1.lab:3268 ]; tenantName [ad1lab.local], userName [firstname.lastname@example.org] Caused by: Invalid credentials."
If it really couldn't contact the LDAP server then it wouldn't be reporting invalid credentials when I try an incorrect password versus when I try the correct password and it reports that it can't contact the LDAP server.
>>> tenantName [ad1lab.local], userName [email@example.com]
Can you confirm that this is correct? ad1lab.local vs. ad1.lab?
"ad1lab.local" is my vsphere SSO domain name that the VCSA is configured for. There are no other VCSA's that are part of the SSO environment.
"ad1.lab" is the Active Directory name the Identity Source will perform LDAPS lookups from. I have a user level service account named "svc_ldaps" that is used for the LDAP lookups from vCenter. This account and its password works just fine when the identity source is configured for standard LDAP instead of LDAPS. It seems to me to me that the values for tenant and username as shown in the error are correct since they would be the same when using LDAP.
I just saw that you try to connect on port 3268 instead of 3269.
Sorry when I copied that I had been testing all the various LDAP/LDAPS related ports just to be thorough and I copied in the wrong results. I did get the same results though when using 3269 and 636. See below:
"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://ad01dc01.ad1.lab:3269 ]; tenantName [ad1lab.local], userName [firstname.lastname@example.org] Caused by: Can't contact LDAP server."
"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://ad01dc01.ad1.lab:636 ]; tenantName [ad1lab.local], userName [email@example.com] Caused by: Can't contact LDAP server."
Was struggling with this as well. For my issue, the solution was to export the certificates from the DCs in base-64 format instead of DER format. (both formats export as .CER file)
Then I could specify those certificates, without error, as certificates with LDAPs connection to domain controllers.
Also, just for info, I tested and you need to specify FQDN for the DCs, and not just the IP address.
I'm not sure this will help but these guys had the same error message - Migrate from Active Directory Integrated Windows Authentication VMware vSphere 7.0 – TheSleepyAdmins
Thanks for your suggestions. The certs I was using were in Base64 format and I always use the FQDN as well so unfortunately neither of those are the the issue in this case.
I took a look at the link you provided and I didn't see anything there that mentioned the error I am seeing. Are you sure this was the correct link?
Do you have any identity source created already using AD Integrated Windows Authentication ? or this is the first one you are trying to create using ldaps ? If you have IWA type identity source already, then try to remove that and add an ldaps based Identity source.
No, there has never been any IWA identity source configured. This is vSphere 8 so IWA is supposed to be deprecated in theory...
I can still see that option in the lab. Anyway, you can check this log file for detailed information
Thanks for the log location. I did a quick test again and then checked the log you mentioned to see what was there. I copied the stuff at the end of the logs into the attached file that shows the errors being reported. Pretty much as shown in the GUI it seems to just indicate that it can't contact the LDAP server.
The only thing I noticed beyond that was an error relating to validating the expiration date of the certificate for the LDAP server I used. I'm not sure why it would have any issues with that though. The server's LDAP cert is issued by a CA that the vCenter server trusts and the expiration date on the server's cert is 3/18/2053 so its clearly not expired. The Root CAs expiration date is 3/5/2063 and the issuing intermediate CA's expiration is 3/5/2058 so they are not expired either.
Maybe you can find something in the log that I am missing...
Could you please also check this log for related info
I am seeing two errors
1. Java exception , unparseable date. Not sure if this is the contributing factor of this issue, in that case code fix might be needed, only vmware can help here
2023-06-06T02:13:13.851Z ERROR ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Error when trying to parse validity date
java.text.ParseException: Unparseable date: "20530319022108Z"
2. After the above exception, I can still see the process goes on and failed with following error
2023-06-06T02:13:13.868Z WARN ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1
2023-06-06T02:13:13.868Z WARN ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://ad01dc01.ad1.lab:3269, firstname.lastname@example.org]
2023-06-06T02:13:13.869Z ERROR ssoAdminServer[141:pool-2-thread-6] [OpId=lgph43x9-1041449-auto-mbl8-h5:70238925] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://ad01dc01.ad1.lab:3269] because [com.vmware.identity.interop.ldap.ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable
It looks like a connectivity issue but you have already confirmed no firewall in place and the same machine with ldap works fine. Since it is not working for ldaps connection might be something due to the certs but could not derive anything.
Lets check vmware-identity-sts.log to see if we get any messages there.
Can you run nc command on VCSA and check if the connections are fine on ports related to ldaps, just to double check.