Configure LDAPS authentication for vCenter Server.

Following steps can help to configure Active directory LDAPs Authentication for vCenter servers.

Step 1

Note down the DC (Domain controller) assigned with LDAP. If you want to know all domain controllers following windows command can be used. This can be executed from any windows machine that is joined to AD domain.

nltest /dclist:DomainName

Step 2

Select one of the Domain controller that is configured as LDAP identity source. Login to vCenter appliance using SSH session (use Putty/Terminal access) to get LDAP certificate from DC.

openssl s_client -connect -showcerts

Replace as the domain controller of your environment. The top most certificate in this chain is the certificate of the domain controller.


Copy the complete string including —–BEGIN CERTIFICATE—– until (including) —–END CERTIFICATE—– into a text file. Remove any additional characters after —–END CERTIFICATE—–. Save that content into Notepad file and save file with as cer extension (e.g. ldap_dc.cer).


Step 3

Open vCenter web client (HTML/Flash). Go to \Home\Administration \ Configuration under Single Sign-on\ click on + sign \ select Active directory as an LDAP server

Give the appropriate name following options.

vCenter 6.0

Name = domain name
Base DN for users: dc=domainname,dc=local
(This option to search user's in specific organization unit OR container of AD.)
Domain name: domainname.local
Domain alias: domainname
Base DN for groups: dc=domainname,dc=local
(This option to search AD group's in a specific organization unit OR container of AD.)
Primary server URL: ldaps://
(You can mentioned domain instead of specific DC if all your domain controller configured to use SSL for LDAP.)
Secondary server URL:ldaps://
(This is optional)



vCenter 6.5/6.7

Name = domain name
Base DN for users: dc=domainname,dc=local
Base DN for groups: dc=domainname,dc=local
Domain name: domainname.local
Domain alias: domainname
User name = adminuser@domain.local
Password ****

When you select Connect to any domain controller in the domain then vCenter connects to DC that is acting as primary domain controller (PDC). NLTest output will tell you the current primary domain controller. This option may not work for version prior to 6.7 U1 OR 6.5 U2D due to known issue. Refer The workaround is to download LDAP certificate for all DC’s (DC list can be obtain from NSTest as mentioned in point 1) then provide certificate in next step of configuration.

You also have ability to specify primary and second LDAP servers.

Primary server URL: ldaps://
Secondary server URL:ldaps://


In the next screen, upload the certificate downloaded in step2


If all the configuration is correct then Active Directory as an LDAP server should be added without any issue.