VMware Cloud Community
MASTEP8328234
Contributor
Contributor

Adding Identity Source fails LDAP/LDAPS

Topic Name : Active Directory LDAP Server Identity Source Settings

Product/Version : VMware vSphere/6.7 Appliance

Question :

Want to add new identity source with LDAPS to our Active Directory Server. But all i tried failed.

At the moment we use windows integrated active directory setting to the same windows domain.

A check with curl to the needed ips and ports from appliance ssh root user was ok.

I get this error: Check the network settings and make sure you have network access to the identity source.

Also ports are open and firewall settings on windows were ok. ldp.exe is running on windows with port 636 and i can access and

bind with a user account.

Can someone help?

Greets Marko

19 Replies
Nawals
Expert
Expert

for adding new identity source make sure you use administrator@vaphere.local

NKS Please Mark Helpful/correct if my answer resolve your query.
Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

Yes sure i used local vsphere administrator account.

Greets Marko

Reply
0 Kudos
Nawals
Expert
Expert

For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAPand 3269 for LDAPS.Can you check are you using correct port

NKS Please Mark Helpful/correct if my answer resolve your query.
MASTEP8328234
Contributor
Contributor

Ok i tried with 3269. But i get the same error message.

Greets Marko

Reply
0 Kudos
berndweyand
Expert
Expert

can you check with a single dc on port 369 or 636?. if that works you have problems with the global catalog

Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

hello bewe,

i also tried port 389 and 636. But it fails with the mentioned error.

greets Marko

Reply
0 Kudos
berndweyand
Expert
Expert

ssh into the vcsa and try:

nc -vz <domainname> 3268

or

nc -vz <domaincontroller> 636

and see if ports can connect from vcsa

MASTEP8328234
Contributor
Contributor

Yes can connect. Not with port 3288. But with 636.

Greets Marko

Reply
0 Kudos
berndweyand
Expert
Expert

ok then you have problems to connect with the global catalog.

you can check this also with lpd.exe - with domain- or subdomainname and port 3268/9

Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

Ah.. not 3288... my failure...

All ports are working as expected.

Greets Marko

Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

Picture is not loading.

I can connect to port 3268. No problem with global catalog.

Greets Marko

Reply
0 Kudos
berndweyand
Expert
Expert

then please try to add the sourcee again and watch the /var/log/vmware/sso/ssoAdminServer.log for errors

Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

ok tried.. but no entry in the log file.

Greets Marko

Reply
0 Kudos
berndweyand
Expert
Expert

is your vcsa domainmember ?

is the name for sso domain different from ad-domainname?

please check ntp settings on ad and vcsa

please check dns and reverse lookup for ad and vcsa

Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

Hello bewe,

vcsa is a domainmember.

sso domain and ad domain are the same.

ntp settings...

Thu May 14 13:02:49 UTC 2020 vcsa

Donnerstag, 14. Mai 2020 15:02:44 windows dc

dns settings seem to be correct i can resolve ips.

Greets Marko

Reply
0 Kudos
berndweyand
Expert
Expert

sso-domain and ad-domain should not be the same - that seems your problem.

just to clarify: your vcsa ist domainmember and has a name like vcsa.domain.local

in the vami of the appliance in the summary tab you see on the right side the single sign-on domain - this should be different to your ad-domain

Reply
0 Kudos
MASTEP8328234
Contributor
Contributor

Ah yes... its a domainmember.

Used windows integrated Active Directory.

SSO Domain at the momnt its vsphere.local.

So i have to remove the ad integration before i can add the sso to the same domain?
uhmm why so complicated?
greets Marko
Reply
0 Kudos
berndweyand
Expert
Expert

ok - thats correct, there you havent made a mistake.

no - if you want to change from integrated windows authentication to ldap you only have to remove the authentication source first - two entries for the same domain is not allowed.

the vcsa remains domainmeber, just remove the autheticationsource and add it as ldap-type.

be sure to use the administrator@vsphere.local account for this action

CBaezLe
Contributor
Contributor

@berndweyand thank you chabón.

We've been working on this for a while now, after removing the Integrated Windows Authentication identity the new LDAPS identity source was completed.

Best regards!

Reply
0 Kudos