VMware

AD authentication from vCenter appliances = unsigned LDAP SASL bind

vCenter 6.5 U2h appliances with external PSC, Windows 2012 R2 domain controllers.

I have been looking more closely at what LDAP clients have been sending unsigned and/or simple binds to our domain controllers because of the enforcement changes that Microsoft will be bringing to Windows in January.

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Every one of my vCenter appliances are joined to AD and are using Integrated Windows Authentication as the SSO identity source.

Any time AD Authentication occurs from vCenter, the domain controller logs event 2889, logon type 0 (meaning unsigned bind), logging in as the machine account of the vCenter.

Our vCenter SSO settings as far as I can remember are defaults.

I’m hoping someone else out there has been looking at the same issue and found a solution.

If all else fails, I could remove from the domain and use LDAP over TLS I suppose, as a last resort.

Thanks



View Reddit by jdptechncView Source

 

To see the full content, share this page by clicking one of the buttons below

Related Articles

2 Comments

  1. Having the same issue in 6.7u2 and 6.7u3 (before that we had SMB events – but they are gone now as SMBv2 are used). Still getting LDAP unsigned bind events though – exactly as you describe.

Leave a Reply