Migrating vCenter SSO from IWA to LDAPS

For some time I’ve used Integrated Windows Authentication (IWA) for VMware vCenter single sign-on (SSO). But there are a few considerations that are driving me from IWA to LDAPS. First, IWA is deprecated starting in vSphere 7. Second, I want to leverage LDAPS rather than LDAP since it is more secure and especially since Microsoft is pushing the use of LDAP signing more aggressively. Here are the steps that I followed to migrate from IWA to LDAPS:

  1. I chose to leverage Active Directory Certificate Services (AD CS) rather than an external CA in order to benefit from autoenrollment. Install the AD CS server role on each Active Directory Domain Controller. This also installs the certificate management feature. I configured AD CS as follows:
    1. Credentials should be those of $DOMAIN\Administrator
    2. Configure only the Cert Authority role service
    3. Create an Enterprise CA rather than a Standalone CA
    4. Create a Root CA rather than a Subordinate CA
    5. Create a new private key rather than using an existing private key
    6. Use the RSA#Microsoft cryptographic provider
    7. Use a 4096-bit RSA key
    8. Use SHA256 hash algorithm
    9. Accept the default CN
    10. Set a 10 year validity period
    11. Use the default database and log location
  2. I found in one case that the Local Computer | Personal certificate was either immediately created for my AD server’s hostname, or else was created on demand when I attempted an LDAPS connection. In another case I had to reboot before the server certificate was autoenrolled. If this doesn’t work for you, you may wish to try using the ldifde command to create the LDAPS certificate. You can test for enrollment by either searching for the certificate in the Local Computer | Personal certificate store, or else by attempting to connect to LDAPS on port 636.
  3. Export the CA certs from the AD servers and convert them from CER format to PEM format for use with vCenter and any other LDAP clients:
    openssl x509 -inform der -in adns1.cer -out adns1.pem
  4. Using your Administrator@vsphere.local account, remove the IWA identity source and create a new identity source as follows. In this example I am joining the domain example.com and using an unprivilged service account I created for vCenter’s use. In my experience, my vCenter role and permission settings were preserved independently of changes to the identity source:
    1. Identity source type = Active Directory over LDAP
    2. Users = DC=example,DC=com
    3. Groups = DC=example,DC=com
    4. Domain = example.com
    5. Alias = EXAMPLE
    6. Username = vCenter LDAP service user
    7. Password – vCenter LDAP service account password
    8. Connect to = Specific domain controllers
    9. Specify one or two AD server URLs in the following format: ldaps://adnssmoonen1.example.com:636
    10. Upload all PEM files generated above for SSL certificates
  1. After ensuring that vCenter and any other LDAP clients (for example, HyTrust Cloud Control) are successfully leveraging LDAPS, configure the group policy as follows to enforce LDAP signing:
    Default Domain Controllers Policy :: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Domain Controller: LDAP server signing requirements = Require signing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s