Would have been helpful to show which contents of the certificate chain you copied into the text file to create the cert. Is it the whole thing or what?
Integrated Windows Auth still uses unsigned LDAP for non-authentication purposes and generates 2889 events. I wish this video would address migrating from Integrated to LDAPS because I can not add the latter without destroying the former, apparently.
the 2 GPO settings that you changed here.. .is that a requirements for LDAPs to work? im a bit confused as to why you enabled those 2 settings.... what happens if you dont change those settings? will LDAPs still work?
What happens if you remove an existing Identity Source from which you had AD groups used in Global Permission ? Are you going to lose all those groups ? (ie will they get removed?) Another way to put it: what happens if I remove my current “AD over LDAP” IS (which is used in Global Permissions) then re-add it using ldaps. Will all AD groups still be there in Global Permission?
Hi Ricardo! If vCenter is connected via IWA, there should not be an impact when LDAPS is enabled. Check out the following post: blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html "Integrated Windows Authentication (IWA) has also been tested by VMware Engineering and verified to be compatible with these changes. IWA uses different protocols and mechanisms to interact with Active Directory and is not affected by changes to the Active Directory LDAP servers." As always, feel free to reach out to VMware support if you have any additional concerns about this in your environment.
It might be worth checking out the new blog on the vsphere blog website, in regards to IWA - "vSphere 7 - Integrated Windows Authentication (IWA) Deprecation"
The issue with your design is that you shouldn't be running Cert Services on an AD controller. "With AD CS you have another problem in that you cannot remove Active Directory (in the event you want to decommission a DC for example) without first removing AD CS from that DC." Every demonstration I see for this process talks about using Certificate services on a domain controller and it is not best practices.
Hi Kevin! Your observation is accurate, for sure. The decision to use an Active Directory-integrated Enterprise CA was to model one of the ways that customers may have a CA implemented in their environment. Finding the SSL cert for LDAPS with a domain controller using an Enterprise CA is different than Standalone or non-AD-based CAs. Alternative architectures could have included Standalone with an offline root CA and a couple of intermediate CAs online. But, at the end of the day, it made for a more straightforward process to show how the LDAPS configuration from vSphere's perspective and less on CA architecture. But... with all of that being said, we REALLY appreciate your comment for the video because it's important considerations for customers running certificates within their own environments. Design decisions all over the place have implications that you weigh as part of the design OR... they show up later and you wish you would have known more about it. So, thank you for sharing your thoughts on it! :-) ~Bill
Would have been helpful to show which contents of the certificate chain you copied into the text file to create the cert. Is it the whole thing or what?
Integrated Windows Auth still uses unsigned LDAP for non-authentication purposes and generates 2889 events. I wish this video would address migrating from Integrated to LDAPS because I can not add the latter without destroying the former, apparently.
Correct these are two completely different authentication methods, so you have to remove IWA first.
the 2 GPO settings that you changed here.. .is that a requirements for LDAPs to work?
im a bit confused as to why you enabled those 2 settings.... what happens if you dont change those settings? will LDAPs still work?
What happens if you remove an existing Identity Source from which you had AD groups used in Global Permission ? Are you going to lose all those groups ? (ie will they get removed?)
Another way to put it: what happens if I remove my current “AD over LDAP” IS (which is used in Global Permissions) then re-add it using ldaps. Will all AD groups still be there in Global Permission?
Hi, if we have vCenter connected to the AD via IWA, what's the impact on changing to LDAPS?
Thanks.
Hi Ricardo! If vCenter is connected via IWA, there should not be an impact when LDAPS is enabled. Check out the following post: blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html
"Integrated Windows Authentication (IWA) has also been tested by VMware Engineering and verified to be compatible with these changes. IWA uses different protocols and mechanisms to interact with Active Directory and is not affected by changes to the Active Directory LDAP servers."
As always, feel free to reach out to VMware support if you have any additional concerns about this in your environment.
It might be worth checking out the new blog on the vsphere blog website, in regards to IWA - "vSphere 7 - Integrated Windows Authentication (IWA) Deprecation"
Does anyone know where these LDAP server certificates are stored in vCenter and how to monitor their expiry date?
Surely you would monitor the expiry from the source, which is your AD servers.
The issue with your design is that you shouldn't be running Cert Services on an AD controller. "With AD CS you have another problem in that you cannot
remove Active Directory (in the event you want to decommission a DC for
example) without first removing AD CS from that DC." Every demonstration I see for this process talks about using Certificate services on a domain controller and it is not best practices.
Hi Kevin! Your observation is accurate, for sure. The decision to use an Active Directory-integrated Enterprise CA was to model one of the ways that customers may have a CA implemented in their environment. Finding the SSL cert for LDAPS with a domain controller using an Enterprise CA is different than Standalone or non-AD-based CAs. Alternative architectures could have included Standalone with an offline root CA and a couple of intermediate CAs online. But, at the end of the day, it made for a more straightforward process to show how the LDAPS configuration from vSphere's perspective and less on CA architecture.
But... with all of that being said, we REALLY appreciate your comment for the video because it's important considerations for customers running certificates within their own environments. Design decisions all over the place have implications that you weigh as part of the design OR... they show up later and you wish you would have known more about it. So, thank you for sharing your thoughts on it! :-)
~Bill