Tuesday, November 20, 2012

vCSA SSO Secret Active Directory Handshake

The test connection button was working for me with "reuse session" but I was getting "LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" and "Failed to serialize response" when I actually said to use that configuration.

Error messages were in /var/log/vmware/sso/ssoAdminServer.log 

vCSA and working for me:

Primary server URL:
Base DN for users:
<Only the domain, no other DN/OUs> DC=ad,DC=company,DC=com
Domain name:
Base DN for groups:
<same as users>

cert (*.cer) created for me from the FQDN AD/GC server listed in Primary server URL.
(VMware KB pointing to MS KB)

Auth type:
Created a "service account" user to connect.

The client needs the full ad.company.com\user, not shorthand domain to get in.


  1. From the AD admin on how he created the cert that vCSA liked:

    to export a certificate to a CALLING host such as linux / unix / or macosx
    load the certificates mmc targeted for local machine
    select the store personal \ certificates
    select the actual certificate you want to export
    right click All Tasks / export
    -- step through the splash screen
    -- select DO NOT EXPORT PRIVATE KEY, click next
    -- select base 64 encoder DER, click next
    -- enter a filename, be sure to set the location to someplace
    you can write, and find
    -- click next, review the summary, click finish
    -- email the exported SSL to the admin requesting the cert

  2. Watch for 5.1u1 shorthand domain bullshit. Check the vCenter 5.1u1 readme for more info.

  3. Added a 2012 DC into the mix (still 2008 AD schema) and started having massive timeouts. Changed ldaps://FQDN:636 (actual LDAPS port) to ldaps://FQDN:3269 (Global Catalog port). As per http://kb.vmware.com/kb/2038918