Link to home
Start Free TrialLog in
Avatar of sara2000
sara2000

asked on

LDAP vs Kerberos

I recently changed the vcenter identity source from Kerberos to LDAPs. We now have a problem of logging into the vcneter using mydomain\user format instead we have to use user@myddomain.local.
We are using base DN in the vcenter (DC=mydomain,DC=local) fro search order.
I have a backup appliance that is configured to use Bind DN and i was able to log into mydomian\user format.

Why we can not use mydomain\user with the base DN?
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Any reason for the change? (and you are aware of recent Microsoft Security changes ? regarding LDAP services on AD).

Are you vCenter Servers configured the same ?
Avatar of sara2000
sara2000

ASKER

We used to use AD authentication. The security team asked me to change to AD over LDAPs because MS is going to disable LDAP with the next security updates.
I can not use my old format mydomain\user anymore. Here are some application configured to use mydomain\service account to use the vcenter. I guess they will only work with the serviceaccount@mydomain.local format.
This is all to do with LDAP.....

if you were previously using Integrated Windows Authentication (IWA) there is no change.

if you are using LDAP....... this is the change.

So I'm a little confused in you state you used to use AD, they asked you to change to AD over LDAP (this could cause issues!)

which is Any system that connects to Active Directory via LDAP without using TLS will be negatively affected by this change.

So bottom line if your Identity Source is ldap you could be impacted!

(ldap:// <--- possibly impacted)

(ldaps:// <---- unlikely)
we use ldaps://gc.mydomain.local:3269 in which it uses TLS.
My confusion is why we have to use user@mydoain.local
are you specify the domain correctly e.g. domain\username

also check the Default Identity Source
Everything is fine with the identity source.
identify the source is "AD over LDAP"
Base DN is DC=mydomain,DC=local
user ID user@mydomain.local instead mydomain\user
Everything works other than the user format.
Why the user id has to be user@mydomain.local after changing to LDAP instead of MyDomain\user in the AD as an identity source?
because it's broke! and not working correctly, if you have one vCenter Server working and the other is not.....it's supposed to do either

Check if the Identity Source is Default, and then try dropping the domain in domain\username

because this should work, is this VCSA vCenter for Windows and which version ?
ASKER CERTIFIED SOLUTION
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I did not use the alias as mydomain
ah well, I'm surprised it was able to connect!

when they patch re-check....and don't forget your Administrator@vsphere.local password!