We help IT Professionals succeed at work.

LDAP vs Kerberos

sara2000
sara2000 asked
on
I recently changed the vcenter identity source from Kerberos to LDAPs. We now have a problem of logging into the vcneter using mydomain\user format instead we have to use user@myddomain.local.
We are using base DN in the vcenter (DC=mydomain,DC=local) fro search order.
I have a backup appliance that is configured to use Bind DN and i was able to log into mydomian\user format.

Why we can not use mydomain\user with the base DN?
Comment
Watch Question

Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Any reason for the change? (and you are aware of recent Microsoft Security changes ? regarding LDAP services on AD).

Are you vCenter Servers configured the same ?

Author

Commented:
We used to use AD authentication. The security team asked me to change to AD over LDAPs because MS is going to disable LDAP with the next security updates.
I can not use my old format mydomain\user anymore. Here are some application configured to use mydomain\service account to use the vcenter. I guess they will only work with the serviceaccount@mydomain.local format.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
This is all to do with LDAP.....

if you were previously using Integrated Windows Authentication (IWA) there is no change.

if you are using LDAP....... this is the change.

So I'm a little confused in you state you used to use AD, they asked you to change to AD over LDAP (this could cause issues!)

which is Any system that connects to Active Directory via LDAP without using TLS will be negatively affected by this change.

So bottom line if your Identity Source is ldap you could be impacted!

(ldap:// <--- possibly impacted)

(ldaps:// <---- unlikely)

Author

Commented:
we use ldaps://gc.mydomain.local:3269 in which it uses TLS.
My confusion is why we have to use user@mydoain.local
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
are you specify the domain correctly e.g. domain\username

also check the Default Identity Source

Author

Commented:
Everything is fine with the identity source.
identify the source is "AD over LDAP"
Base DN is DC=mydomain,DC=local
user ID user@mydomain.local instead mydomain\user
Everything works other than the user format.
Why the user id has to be user@mydomain.local after changing to LDAP instead of MyDomain\user in the AD as an identity source?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
because it's broke! and not working correctly, if you have one vCenter Server working and the other is not.....it's supposed to do either

Check if the Identity Source is Default, and then try dropping the domain in domain\username

because this should work, is this VCSA vCenter for Windows and which version ?
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
did you set the default?

that document has been the same for ever.

one of those documents also explains it should also work, e.g. domain\username in favour of username@domain.com

Author

Commented:
I did not use the alias as mydomain
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
ah well, I'm surprised it was able to connect!

when they patch re-check....and don't forget your Administrator@vsphere.local password!