Avatar of sara2000
sara2000
 asked on

LDAP vs Kerberos

I recently changed the vcenter identity source from Kerberos to LDAPs. We now have a problem of logging into the vcneter using mydomain\user format instead we have to use user@myddomain.local.
We are using base DN in the vcenter (DC=mydomain,DC=local) fro search order.
I have a backup appliance that is configured to use Bind DN and i was able to log into mydomian\user format.

Why we can not use mydomain\user with the base DN?
* LDAPActive DirectoryVMware

Avatar of undefined
Last Comment
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

8/22/2022 - Mon
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Any reason for the change? (and you are aware of recent Microsoft Security changes ? regarding LDAP services on AD).

Are you vCenter Servers configured the same ?
sara2000

ASKER
We used to use AD authentication. The security team asked me to change to AD over LDAPs because MS is going to disable LDAP with the next security updates.
I can not use my old format mydomain\user anymore. Here are some application configured to use mydomain\service account to use the vcenter. I guess they will only work with the serviceaccount@mydomain.local format.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

This is all to do with LDAP.....

if you were previously using Integrated Windows Authentication (IWA) there is no change.

if you are using LDAP....... this is the change.

So I'm a little confused in you state you used to use AD, they asked you to change to AD over LDAP (this could cause issues!)

which is Any system that connects to Active Directory via LDAP without using TLS will be negatively affected by this change.

So bottom line if your Identity Source is ldap you could be impacted!

(ldap:// <--- possibly impacted)

(ldaps:// <---- unlikely)
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
sara2000

ASKER
we use ldaps://gc.mydomain.local:3269 in which it uses TLS.
My confusion is why we have to use user@mydoain.local
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

are you specify the domain correctly e.g. domain\username

also check the Default Identity Source
sara2000

ASKER
Everything is fine with the identity source.
identify the source is "AD over LDAP"
Base DN is DC=mydomain,DC=local
user ID user@mydomain.local instead mydomain\user
Everything works other than the user format.
Why the user id has to be user@mydomain.local after changing to LDAP instead of MyDomain\user in the AD as an identity source?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

because it's broke! and not working correctly, if you have one vCenter Server working and the other is not.....it's supposed to do either

Check if the Identity Source is Default, and then try dropping the domain in domain\username

because this should work, is this VCSA vCenter for Windows and which version ?
sara2000

ASKER
ASKER CERTIFIED SOLUTION
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
sara2000

ASKER
I did not use the alias as mydomain
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

ah well, I'm surprised it was able to connect!

when they patch re-check....and don't forget your Administrator@vsphere.local password!