LDAPS configuration with multiple domain controllers VMware VCSA – Ctrl-Alt-Insert.Com – Tempemail

This fix will be needed until you update to VCSA 6.7U1 or 6.5U2d. At which point you can specify domain level URL’s for the identity source
Since Microsoft announced that  LDAP will be deprecated (https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows) We have the task of updating our VCenters to use the LDAPS settings.
The issues:

When you specify two domain controllers, Instead of using the wizard export you have to manually enter in the certificates, and the certificate chain’s have to be combined into one certificate.
You cannot just specify the domain LDAPS URL and connect using the Sub Certificates, But it requires you to put the root sub and host key into a single .cer file.

Log into your VCenter as [email protected]
Select Administration
Under Single Sign On continue to Configuration
Select Identity sources
Create a new identity Source (Select Active Directory as an LDAP server)
Fill in the appropriate information related to your domain
Select “Connect to specific domain controllers”

Specify Both of your domain controllers in this format

Primary server URL (ldaps://controller01.hllab.net:636)
Secondary server URL (ldaps://controller02.hllab.net:636)

Check “Protect LDAP communication using SSL certificate (LDAPS)”
Open up a MMC.exe from your desktop

Open up the certificate Snap-in from MMC connecting to your primary DC
Export the domain certificate without the private key as a .cer file
Export the sub-ca certificate without the private key as a .cer file
Export the root level certificate without the private key as a .cer file
Open notepad and copy the certificates as shown below.

—–BEGIN CERTIFICATE—–Domain controller Cert string—–END CERTIFICATE———-BEGIN CERTIFICATE—–Sub-CA string—–END CERTIFICATE———-BEGIN CERTIFICATE—–Root CA string—–END CERTIFICATE—–
Save the new cert file as a .cer
Repeat step 9 for the secondary domain controller
Import the certificates on the Identity source wizard
Select next and finish

 
I will try to get more pictures later this evening.
 
 

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Leave a Reply