Monday, June 17, 2013

vCenter Single Sign On Server (SSO) - How to change an Identity Source Server URL which is using LDAP over SSL (LDAPS)

I recently had an issue where I was getting the following error when logging into vCenter:

A general system error occurred: Authorize Exception

I turns out, the SSO Identity Source was trying to connect to Domain Controllers which were powered off.  To prevent this from occuring in the future, I wanted to add a physical DC to the config. 

Our infrastructure uses LDAP over SSL (LDAPS) so, it required a few additional steps.

1. First, log into the Domain Controller you would like to use as a Server URL for the Identity Source.   Then launch the mmc and add the Certificates Snap-in.  Select Computer Account and Local Computer.  Export the certificate used for Server Authentication.

A. On the Export Private Key screen, select No, do not export the private key
B.  On the Export File Format screen, select Base-64 encoded X.509 (.CER)

2. Using the WebClient log in using the admin@System-Domain account.  Go to
Sign-On and Discovery --> Configuration.  Right click on the Identity Source and select Edit Identity Source. 

               
3. Enter the appropriate DC info, the select Choose Certificate.   
4.  Browse to the newly exported .cer file. 
5. Select Test Connection: 

     6. To confirm that the change has taken affect, open the following file on the SSO server:
 
C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf

 

1 comment:

  1. These steps are useful to change the Identity Source Server URL.This process is useful in the case where infrastructure uses LDAP over SSL.

    idp shibboleth

    ReplyDelete