• About me…
  • VMware
  • Powershell
  • DIY

ConfigMgr.nl

VMware, PowerShell, Automation, and more…

  • About me…
  • VMware
  • Powershell
  • DIY

Using LDAPS with vCenter and AD

12 oktober 2020 VMware No Comments

Most companies that connect vCenter to Active Directory are using the Integrated Windows Authentication. At least, that’s what I see. But both VMware and Microsoft have announced changes that are going to change the way you connect your vCenter to AD.

VMware announced in the vSphere 7 release notes that Integrated Windows Authentication is deprecated. See this blog… So you can still use it but if you are going to set up a new connection you better start using LDAP.

And for that connection method to AD, Microsoft announced that they are going to force connections to LDAPS. I think that they released an update giving you Events when there is an unsafe connection (LDAP) but it might be that in the future they are going to disable LDAP, leaving LDAPS as the only (secure) method of connecting vCenter to Active Directory. Well, that’s not entirely true because you can also use Identity Federation but then you would also need ADFS. And in my home lab, I don’t have ADFS.

With this in mind, I connected my vCenter to AD using LDAPS. So, what do you need?

  • A certificate for every Domain Controller that you connect to.

First I installed Active Directory Certificate Services. Then I used OpenSSL to create a certificate request file. The first step is to create a private key.

openssl genrsa -out key_filename.key 2048

This command generates a private key and stores that key in a file (key_filename.key). Then create the request file.

openssl req -new -key key_filename.key -out certificate_request.csr

This command uses the key file to create a certificate request. When you run the command it asks you to enter details for the certificate request such as name and company info. You can also use a configuration file for that. A configuration file looks like this:

[req]
default_bits = 2048
default_keyfile = dc.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:dc, DNS:dc.lab.local, IP:192.168.199.4
[req_distinguished_name]
countryName = NL
stateOrProvinceName = Noord-Holland
localityName = Purmerend
organizationName = LAB
organizationalUnitName = IT
commonName = dc.lab.local

The command must then be changed to use the configuration file.

openssl req -new -key key_filename.key -out certificate_request.csr -conf config.txt

You should now have a csr file that you can use to request the certificate with your CA. Steps for this varies per CA so I will skip these. When you receive your certificate, import it to the Personal store of the Domain Controller and also save it as a file.

Reboot the Domain Controller and then try to make the connection from vCenter.

Fill in the details and use the Browse button to browse to the saved certificate file of the DC. Then click save and your connection is now based on LDAPS.

ldapsvCenter

Backup your homelab... for free!

Packer and WinRM - mystery resolved

Geef een antwoord Reactie annuleren

Deze website gebruikt Akismet om spam te verminderen. Bekijk hoe je reactie-gegevens worden verwerkt.

Recente berichten

  • Handy one-liners
  • The system has insufficient locker space for the image profile
  • Testing Script Runtime Service for vSphere – part 2
  • Reporting on your Windows Server backup
  • Testing Script Runtime Service for vSphere – part 1

Jeroen BurenFollow

Jeroen Buren
jeroen_burenJeroen Buren@jeroen_buren·
21 jun

Never stop learning... https://dy.si/bJt42

Reply on Twitter 1539159798926610432Retweet on Twitter 1539159798926610432Like on Twitter 1539159798926610432Twitter 1539159798926610432
Retweet on TwitterJeroen Buren Retweeted
brianmaddenBrian Madden@brianmadden·
26 mei

I just wrote an article on LinkedIn with my brutal and honest thoughts on the @Broadcom / @VMware deal. VMware is toast. It's sad, but there is no other way. https://www.linkedin.com/pulse/brian-maddens-brutal-unfiltered-thoughts-broadcom-vmware-brian-madden/

Reply on Twitter 1529925814203973632Retweet on Twitter 152992581420397363294Like on Twitter 1529925814203973632388Twitter 1529925814203973632
jeroen_burenJeroen Buren@jeroen_buren·
25 mei

A video tells more than a thousand words... https://dy.si/DBFdUR2

Reply on Twitter 1529336584557867010Retweet on Twitter 1529336584557867010Like on Twitter 1529336584557867010Twitter 1529336584557867010
jeroen_burenJeroen Buren@jeroen_buren·
1 mei

Fijn weer een seintje gekregen van @VattenfallNL : Uw termijnbedrag is op dit moment niet meer helemaal in lijn met uw verbruik. Ze bedoelen natuurlijk niet meer in lijn met hun tarieven…

Reply on Twitter 1520835622042222595Retweet on Twitter 1520835622042222595Like on Twitter 15208356220422225952Twitter 1520835622042222595
jeroen_burenJeroen Buren@jeroen_buren·
13 dec

Baas!! Was geweldig om te zien

Ziggo Sport Racing@ZS_Racing

De legendarische @SChecoPerez aan het woord! 🙌

'Ik was aan het einde van mijn leven, ik was aan het doodgaan. Maar Lewis Hamilton verloor een aantal seconden', aldus Sergio Pérez tegenover @JackOnTracks 📽️

#ZiggoSport #F1 #AbuDhabiGP 🇦🇪

Reply on Twitter 1470285708338335747Retweet on Twitter 1470285708338335747Like on Twitter 1470285708338335747Twitter 1470285708338335747
Load More...

Categorieën

Proudly powered by WordPress | Theme: Doo by ThemeVS.