Once you are done with installation of VMware vCenter 5.1; you will notice that vSphere 5.1 client wont let you login into your vCenter Server. Either you will need to configure a local admin ID on your vCenter Server or if you have an active directory (AD) running in your environment; you will need to link that to your vCenter Server i.e. by configuring an identity source.
During installation of vCenter Single Sign On 5.1; it tries to add the identity source but in my case resulted in error (Error 29155.Identity source discovery error). I then found out its the case with other users as well and also was pointed out in VMware in their KB articles. The workaround for the issue given was to add the identity source manually. Doing so I got the following errors.
[LDAP: error code 8 – 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]
and
simple bind failed:yourdomain:636
These errors are due to the fact that your AD is configured to communicate over LDAPS SSL connection. Hence to register your identity source; you will need the X.509 certificate of your AD domain controller (DC). For that export the certificate of your AD but make sure its the Base-64 X509 Certificate.
Once imported; again add the identity source as demonstrated below.
Once you chose the certificate from Choose Certificate tab; make sure you get the following confirmation. If not there must be something wrong with your certificate.
You can click on Test Connection to verify your AD connectivity.
If you are still facing problems in adding the identity source; make sure of he following things:
- Your vCenter, vSphere, vSphere Web Client, vCenter SSO etc must all be installed in the same default directories.
- Do add the port 3269 with your FQDN.
- There must a proper forward and reverse pointer entry on your DNS for your vCenter Server.
- Enter the complete user name for authentication e.g. user@domain.com
- If your domain controller is behind a firewall; make sure you have configured a policy to allow vCenter traffic.
Tags: active directory, AD, AD LDAP, Base-64 X509 Certificate, certificate for vcenter, error 29155, identity source, Identity source discovery error, identity source error, LDAP identity source, LDAP: error code 8 - 00002028, LDAPS, LDAPS identity source, LDAPS SSL, Microsoft, Pakistan, simple bind failed, single sign on, SSO, vCenter, vCenter 5.1, vcenter single sign on 5.1, vcenter sso 5.1, Virtualization, VMware, Windows, windows server 2008 R2, X509, X509 Certificate
August 30, 2013 at 11:27 PM |
Hey, you mention that “If your domain controller is behind a firewall; make sure you have configured a policy to allow vCenter traffic.”
Any idea what ports it’s using that might be disallowing it? The AD admins won’t turn off the firewall but will open specific ports if I ask D:
Thanks!
August 30, 2013 at 11:33 PM |
This might be of help to you; http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc_50%2FGUID-925370DD-E3D1-455B-81C7-CB28AAF20617.html
August 31, 2013 at 12:28 AM |
Thanks. Helps a bit, still need to track down what port it’s connecting to the domain controller through.
The server is joined to the domain, but then when I go to add it through VMware inventory, I get connection refused errors.
August 31, 2013 at 12:33 AM |
Add ldap (tcp 389) and ldaps (tcp 636) ports to the list too; those are used to connect the vcenter server to the domain controller.
November 7, 2013 at 3:50 PM |
very helpful article. I face this issue when domain controller accidentlly failed and SSO unable to track with other domain controller.
Is there any way we can add… more than two domain controllers..
November 15, 2013 at 2:48 PM |
Thank you 🙂 Well honestly haven’t tried to look that; But I believe there was no additional field for another DC to be added. Will look into that now that you have mentioned.