Schaedle
Enthusiast
Enthusiast

unsigned ldap requests from vCenter

Jump to solution

Hi @all,

I already found some threads about the Microsoft changes from ldap to ldaps but they did not yet help me.

Our vCenter is joined to our AD. At the identity sources I have configured the root domain of the forest with "Active Directory (Integrated Windows Authentication)".

When I now look at the ldap logs of the AD Domain Controller I see that the machine account of the vCenter makes unsigned connections.

On my test vCenter I setup an ldaps connection instead of the "Active Directory (Integrated Windows Authentication)" but there is the same behavior.

How can I change them to signed ones?

Regards Wolfgang

0 Kudos
1 Solution

Accepted Solutions
Alex_Romeo
Leadership
Leadership

Hi,

Have you seen these official press releases from VMware and Microsoft?

VMware:

VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023) - VMware vSphere Blog

Microsoft:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023

However, there is still time because the change will be active in the second half of 2020

"A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings."

------

Post:

vCenter LDAP binding and signing

ARomeo

Blog: https://www.aleadmin.it/

View solution in original post

0 Kudos
4 Replies
Alex_Romeo
Leadership
Leadership

Hi,

Have you seen these official press releases from VMware and Microsoft?

VMware:

VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023) - VMware vSphere Blog

Microsoft:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023

However, there is still time because the change will be active in the second half of 2020

"A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings."

------

Post:

vCenter LDAP binding and signing

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
Schaedle
Enthusiast
Enthusiast

Hi AlessandroRomeo68,

thanks for your replay. When I understood it right our config should not be affected:

VMware-identity source.jpg

Thanks and best regards

Wolfgang

0 Kudos
Alex_Romeo
Leadership
Leadership

Great! from the image I see is correct.

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
nebb2k8
Enthusiast
Enthusiast

Hi

I am also using Windows Integrated Authentication. But I still see plain text unsigned bind requests. Which makes me not believe VMware's article.

Any thoughts?

Thanks

pastedImage_1.png

0 Kudos