---
The test connection button was working for me with "reuse session" but I was getting "LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" and "Failed to serialize response" when I actually said to use that configuration.
Error messages were in /var/log/vmware/sso/ssoAdminServer.log
---
vCSA and working for me:
Primary server URL:
ldaps://FQDN:636
Base DN for users:
<Only the domain, no other DN/OUs> DC=ad,DC=company,DC=com
Domain name:
ad.company.com
Base DN for groups:
<same as users>
cert (*.cer) created for me from the FQDN AD/GC server listed in Primary server URL.
(VMware KB pointing to MS KB)
Auth type:
Password
Created a "service account" user to connect.
The client needs the full ad.company.com\user, not shorthand domain to get in.
From the AD admin on how he created the cert that vCSA liked:
ReplyDeleteto export a certificate to a CALLING host such as linux / unix / or macosx
load the certificates mmc targeted for local machine
select the store personal \ certificates
select the actual certificate you want to export
right click All Tasks / export
-- step through the splash screen
-- select DO NOT EXPORT PRIVATE KEY, click next
-- select base 64 encoder DER, click next
-- enter a filename, be sure to set the location to someplace
you can write, and find
-- click next, review the summary, click finish
-- email the exported SSL to the admin requesting the cert
Watch for 5.1u1 shorthand domain bullshit. Check the vCenter 5.1u1 readme for more info.
ReplyDeleteAdded a 2012 DC into the mix (still 2008 AD schema) and started having massive timeouts. Changed ldaps://FQDN:636 (actual LDAPS port) to ldaps://FQDN:3269 (Global Catalog port). As per http://kb.vmware.com/kb/2038918
ReplyDelete