Friday, November 9, 2012

vCSA 5.1 SSO LDAP issues

Working with the vSphere vCenter Server Appliance 5.1 (build 880472, the "a" edition) I could not get straight LDAP (not LDAPS) to work for Single Sign On. Was not happening. Not with Anonymous, not with username, not with reuse session. Anonymous was just broken, but it looks like this is by design with current AD and is not recommended (by anyone, anywhere, but if you search for it you can find out how to do it).
Error message is [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TSL are not already active on the connection, data 0, v1db1].
VMware says "Hey crazy! Get your SSL certs in order!" (Drink the kb here).
I said "That's great VMware, what are my other options?" Turns out I answered my own question year(s) ago!  (Old Koolaid here)

That's right, just turn off the cert requirement:
Computer configuration - Policies - Windows Settings - Security Settings - Local Policies/Security Options - Domain Controller: LDAP server signing requirements (None/Require signing/Undefined[which is the same as None])  -- Change to None

Not as secure, but I could import my users/groups into the new appliance (luckily had a backup) without making other changes (create cert template, export, blah blah) that my local domain admins didn't want to do on a Friday afternoon. 

See updated secret sso cert handshake post for secure settings that worked for me

Pic to show straight (insecure) LDAP settings.
ldap://<fqdn of an active directory server>:389
full domain name
reuse session

The default "Users" OU is listed as a CN. If you point to another root OU in your domain, you would use OU=<blah> instead of CN. You can also screw the CN/OU and pull everything from the domain as well by putting in just the DC parts.

1 comment:

  1. The release notes for 5.1a have a LOT of known bugs with SSO. Read and proceed with 5.1a upgrade with caution.