Using LDAPS with vCenter and AD

Most companies that connect vCenter to Active Directory are using the Integrated Windows Authentication. At least, that’s what I see. But both VMware and Microsoft have announced changes that are going to change the way you connect your vCenter to AD.

VMware announced in the vSphere 7 release notes that Integrated Windows Authentication is deprecated. See this blog… So you can still use it but if you are going to set up a new connection you better start using LDAP.

And for that connection method to AD, Microsoft announced that they are going to force connections to LDAPS. I think that they released an update giving you Events when there is an unsafe connection (LDAP) but it might be that in the future they are going to disable LDAP, leaving LDAPS as the only (secure) method of connecting vCenter to Active Directory. Well, that’s not entirely true because you can also use Identity Federation but then you would also need ADFS. And in my home lab, I don’t have ADFS.

With this in mind, I connected my vCenter to AD using LDAPS. So, what do you need?

  • A certificate for every Domain Controller that you connect to.

First I installed Active Directory Certificate Services. Then I used OpenSSL to create a certificate request file. The first step is to create a private key.

openssl genrsa -out key_filename.key 2048

This command generates a private key and stores that key in a file (key_filename.key). Then create the request file.

openssl req -new -key key_filename.key -out certificate_request.csr

This command uses the key file to create a certificate request. When you run the command it asks you to enter details for the certificate request such as name and company info. You can also use a configuration file for that. A configuration file looks like this:

[req]
default_bits = 2048
default_keyfile = dc.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:dc, DNS:dc.lab.local, IP:192.168.199.4
[req_distinguished_name]
countryName = NL
stateOrProvinceName = Noord-Holland
localityName = Purmerend
organizationName = LAB
organizationalUnitName = IT
commonName = dc.lab.local

The command must then be changed to use the configuration file.

openssl req -new -key key_filename.key -out certificate_request.csr -conf config.txt

You should now have a csr file that you can use to request the certificate with your CA. Steps for this varies per CA so I will skip these. When you receive your certificate, import it to the Personal store of the Domain Controller and also save it as a file.

Reboot the Domain Controller and then try to make the connection from vCenter.

Fill in the details and use the Browse button to browse to the saved certificate file of the DC. Then click save and your connection is now based on LDAPS.