Blog Archives

vCenter Orchestrator – Working with SSL and Secure LDAP with MS Active Directory

I decided to tackle something a few days back that I finally figured out and I thought it would be a good idea to share it out as others seem to run into it from time to time. vCenter Orchestrator is something that is getting a lot more attention these days because of the automation it can bring to your VMware virtual environment. I won’t go into details about what it can do completely as there is plenty of that out there. I instead wanted to focus on it from a security stand point when working with Secure LDAP and using SSL. Now I most certainly want to say that there are probably some sources out there that may speak to this but many I have read and reviewed I have found lacking in some way for a better term. Some would defer to other articles which were even more vague. My only goal is to enable you to be able to effectively connect vCenter Orchestrator securely to your Microsoft Active Directory Services and be able to modify it.

What did it take?

Well here are some suggestions and key things to consider when standing this up.

  1. What accounts does VCO need?
  2. When using the Active Directory plug-in what level of further permissions is needed into active directory with the account making AD changes?
  3. What exactly do the VCO users do exactly and how do they work? (I would like VMware to detail this as current documentation is lacking)
  4. If using a Certificate Authority server what kind of certificate do I need to establish the SSL connection to a Domain Controller?
  5. How do I allow LDAPS on my Domain Controller?
  6. What Group Policy Configurations may be needed?
  7. Any other caveats to this?

Now I want to go through a standard process of setting up LDAP-SSL and designate specific points to outside sources for their contributions and help.

Enabling LDAP SSL Requirements

  • Stand up a MS Certificate Authority Server (This is to line up with my scenario)
  • Issue a Domain Certificate Template on the Certificate Authority specifically for LDAP-SSL. This can be the following noted here: I used the following Subject Name settings specifically Note: the name is just what I used to standardize LDAP SSL for the VCO design
  • On the root CA export the Root Certificate
  1. From the MS Root CA server:
  2. Go to Start > Run > Type MMC
  3. Go to File > Add/Remove Snap-in
  4. Add Certificates Click the “>” button
  5. Choose Local Host for connection
  6. Expand Certificates > Personal > Click Certificates
  7. In this repository you will find the Root CA Certificate. You will know this because the Certificate Template is a “Root Certicate”.
  8. Highlight the certificate and click All Tasks > Export > Next > Next (.DER) > Name and Save > Next > Finish
  9. Log into VCO and click the Network and then the SSL tab as shown:
  10. Go to the Import from file options:
  11. Click the search icon and browse to the location. Click Import. After importing you will the following:
  12. Common name will only show on VCO is you are using the common name as an option on the SSL certificate like I stated for the domain controller. Most CA Root Certificates import with no issue. I just like to know what certificates I have installed.
  13. Once you have deployed the LDAP SSL to your Domain Controllers (ALL OF THEM) you than import the root CA (same one the DC’s are signed by) you can now establish an SSL connection with the Domain Controllers

Note: You will have to check enable SSL on the LDAP and on the Active Directory Plug-ins. You will also have to ensure port 389 and 636 are opened between VCO and the Active Directory servers. If you have issues turn off any firewall to alleviate networking being an issue. If the connecting accounts have access and networking connectivity is not an issue you will wonderful green lights on everything.

Connecting with SSL Authentication and why it’s needed

At this point it’s clear this is somewhat straightforward but you need to note that missing any of these steps will result in a broken SSL connection to your domain controllers. By using a ROOT CA this makes things a lot easier. Usually I would just try deploying a trusted signed SSL to my appliance but in my case that feature of VCO was actually broken. The real use case behind this is being able to fully automate the Active Directory user creation. To be able to allow VCO to run an Active Directory workflow for creating an Enabled user requires LDAPS. You can create disabled users all day, but when it comes to making them enabled and modifying them you have be granted access. SSL with LDAP ensures this handshake with Active Directory is solid and that you can connect securely. However, this is only a small part of the puzzle. We will now cover the users.

At first you will need 3 users or 2. There are some things that are unclear noted in the following PDF paper from VMware:

I will say that it is a good starting point for using Active Directory but note that you cannot do any real workflows without settings up SSL securely when working with Active Directory. VMware doesn’t really address this solid in my opinion and really there is a lot of fragmentation out there. Another good resource was this white paper as well:

I was still left with trying to figure some things out…

My suggestion when setting up the accounts

So in total from my standpoint when setting up VCO with AD (Active Directory) Access you will need 3 separate accounts.

  • One for the LDAPS connection
  • One for the primary connection to AD
  • One for the “Shared” session for AD

My assumption is that VCO uses the following accounts for specific task and from a security standpoint it may not be ideal to use a single account for two functions especially when talking to AD. VCO essentially uses java to do fancy API calls to Active Directory. The LDAP Account specified in the LDAP configuration is used for authentication and connection for the LDAPS functions (though this is poorly documented by VMware it’s my assumption). The Accounts used in the AD Plug-in are beyond me from a purpose standpoint. I know for certain one is used for accessing AD and making changes but I am not sure about the point of the “Shared” session and what its implications are. I would like more visibility on this…

If you are having issues…

I would not be surprised if this happens to you… so I would recommend the following for troubleshooting:

So if your lights will not go green for connecting on SSL check the following:

  • Trace your steps ensure you have the CA Root SSL on your VCO appliance
  • Ensure you have the LDAP SSL deployed to your AD servers for LDAP auth.
  • Ensure the VCO user account in LDAP is able to access and connect to AD. You can test by configuring SSL on the appliance and if you get all green lights that is a good sign connectivity it working.
  • A second test could be to log on with the VCO user account and ensuring you browse AD.
  • On the LDAP button there is a “test login” tab. Do a test login but ensure the user is a member of the group you specify in vCO admin group you set up VCO to point to for access.
  • Make sure ports 389 and 636 are open from VCO to the LDAP servers (AD in this case)
  • Upate 1: you can check for GPO signing as documented here: (This link tells you how to enable it but it is the same way to put it to no signing. Ideally GPO is best applied through a more granular means other then the default domain policy. You can create a specific GPO tied to a OU that contains your domain controllers and apply it there instead.)

So Chad, my appliance is connected on SSL but my workflows break dude… I get an error like this:


Unable to create a new user: InternalError: Failed to create user account… [LDAP: error code 50 – 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ] (Dynamic Script Module name : createUserWithPassword#6) (Dynamic Script Module name : createUserWithPassword#9)

This one can stink so my suggestion is the following:

  • Make sure your VCO user accounts have proper permissions in Active Directory.
  • You can do further testing (if you don’t have the ability to do the following) by using another LDAP tool like LDAP administrator. You can set it up exactly as you would VCO and even use the VCO service account to prove it.
  • The easy way would be: Create a new user apart of no groups, Make it a domain admin only, Add it to the vco admin group, configure VCO for that account. (Note: Its important to ensure the VCO admin group is not restricted in any way through a delegation of permissions. I found this issue when someone else created the account and although it had domain permissions it was restricted)

Run your workflows after trying some of those and that should be able take care of you. One consideration I have to make clear is that the VCO accounts that access AD need to be set up with some sort of delegated permissions in their own group. Since you have to use two it would make since to have this group with delegated AD functions related to what the workflows need to be able to do. I do this today for specific use-case accounts in our environments. This is also known as Role Based Access Control (RBAC). I will cover that in another article but I want to bring some attention to VCO and some of my challenges with it. I hope this is helpful to someone out there.


VMware vSphere Labs – Infrastructure – Setting Up Active Directory on Windows 2008 R2

This Tutorial runs through a quick overview of installing Active Directory 2008 R2 on a Windows Virtual Machines running in VMware Workstation 8. It has a Video and general instructions to help you out. Enjoy!

  1. Deploy from the template
  2. Configure NICS Static
  3. Disable Extra NIC
  4. Gateway and DNS are the Gateway list in “Virtual machine Editor”
  5. Keep DNS as the secondary DNS of the Domain Controller
  6. Rename machine to appropriate Computer Name to reflect your Domain Controller (sysprep gives silly names)
  7. Reboot
  8. Add Role from server manager
  9. Select Active Directory Domain Services
  10. Yes, Install the .Net Stuff….
  11. Run DCPRomo.exe from powershell or within the server manager under AD role
  12. Install DNS (if not you must be doing something a bit more advanced :))
  13. Reboot and validate you can log into AD with a Domain Account.
  14. Join another Virtual Machine to the Domain

[Resolved] VMware Workstation 8 – Windows XP VM Hang Issue

This video explains how I solved my own issue after I upgraded to VMware Workstation 8. It seems going throught he process of removing and adding virtual devices narrowed mine down the A: drive or aka Floppy Disk. I just simply disconnected it through VMware Workstation and I would recommend removing it entirely if you do not need it. To this you would need to power down the VM. Just for the record I did an upgrade for VMware workstation, however it completely uninstalls and reinstalls the new version.

1. Power Down the VM

2. Right Click and go to “Settings”

3. Click on the Floppy Drive

4. Click Remove

5. Click Ok

*NOTE* You can also just uncheck the connect at power on option as well. I hope this fixes your issue as well.

VMware vSphere Labs – Foundations – First Series

Well, I have decided to dub my basic intro into VMware workstation labs as “Foundations” . I, like many others, enjoy discussing and learning about everything. Storage, networking, what I want to achieve, what I am designing for, name a few things you will have to consider in your lab. Sure, there is the easy stand up a lab slap some storage on it, run ESXi, Build vCenter, but for the few, the proud, and the pros… we like to cover it all. This series is pretty much going to go through every bit of that. Yeah, every bit… even the crumbs from the table. So here is the outline and obviously post videos and notes on each. Duly note, that at any time I may add a few dozen more post to foundations as I embark on this journey. I am looking forward to it and I hope you do as well! (Perhaps when I get to it I will do some CommVault vs. Veeam videos when I get a chance – OH, the drama!)

  1. The different kinds
  2. The Downloads and what you need to know
  3. VMware Workstation Storage Considerations
  4. Networking Considerations and Design
  5. Installing Custom VMware Workstation 8
  6. Creating you windows 2008 R2 template VM in VMware Workstation 7 and 8

Yeah, I know who would’ve ever thought a lab took this much thought. It’s just good stuff to think about and if people are board well you got something to do or watch. By the way, some videos have some music others don’t. Again feedback always appreciated!

***Disclaimer: The thoughts and views expressed on and Chad King in no way reflect the views or thoughts of his employer or any other views of a company. These are his personal opinions which are formed on his own. Also, products improve over time and some things maybe out of date. Please feel free to contact us and request an update and we will be happy to assist. Thanks!~

VMware vSphere Labs – Foundations – VMware Workstation Storage Considerations

This video informs you of what you may or may not know about the different types of storage you can use for your VMware vSphere lab set up. Things like physical iSCSI and NFS and Virtual Storage Appliances (VSA) are important to know about and some are MIUCH cheaper than the other.

Links Show in the video:

***Disclaimer: The thoughts and views expressed on and Chad King in no way reflect the views or thoughts of his employer or any other views of a company. These are his personal opinions which are formed on his own. Also, products improve over time and some things maybe out of date. Please feel free to contact us and request an update and we will be happy to assist. Thanks!~

%d bloggers like this: