This fix will be needed until you update to VCSA 6.7U1 or 6.5U2d. At which point you can specify domain level URL’s for the identity source
Since Microsoft announced that LDAP will be deprecated (https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows) We have the task of updating our VCenters to use the LDAPS settings.
When you specify two domain controllers, Instead of using the wizard export you have to manually enter in the certificates, and the certificate chain’s have to be combined into one certificate.
You cannot just specify the domain LDAPS URL and connect using the Sub Certificates, But it requires you to put the root sub and host key into a single .cer file.
Log into your VCenter as [email protected]
Under Single Sign On continue to Configuration
Select Identity sources
Create a new identity Source (Select Active Directory as an LDAP server)
Fill in the appropriate information related to your domain
Select “Connect to specific domain controllers”
Specify Both of your domain controllers in this format
Primary server URL (ldaps://controller01.hllab.net:636)
Secondary server URL (ldaps://controller02.hllab.net:636)
Check “Protect LDAP communication using SSL certificate (LDAPS)”
Open up a MMC.exe from your desktop
Open up the certificate Snap-in from MMC connecting to your primary DC
Export the domain certificate without the private key as a .cer file
Export the sub-ca certificate without the private key as a .cer file
Export the root level certificate without the private key as a .cer file
Open notepad and copy the certificates as shown below.
—–BEGIN CERTIFICATE—–Domain controller Cert string—–END CERTIFICATE———-BEGIN CERTIFICATE—–Sub-CA string—–END CERTIFICATE———-BEGIN CERTIFICATE—–Root CA string—–END CERTIFICATE—–
Save the new cert file as a .cer
Repeat step 9 for the secondary domain controller
Import the certificates on the Identity source wizard
Select next and finish
I will try to get more pictures later this evening.