top of page
  • Mark

vCenter - Switching IWA to LDAPS

Why do i need to change?

Starting with vSphere (and vCenter) 7.0, VMware has deprecated the use of Integrated Windows Authentication (IWA). That doesn't mean you can't use it or migrate an existing 6.7 vCenter with IWA to vCenter 7. It means that VMware considers IWA end of life and will be removing it in a future release, so the time to move off IWA is now!

The steps below show how to do switch from the IWA identity source to AD over LDAPs. Bear in mind you will need to remove the old identity source, before being able to add the new one, so you need to do this when no one else will be logging into vCenter. It doesn't take long though, so as long as you can find a quiet time, you're ready to go.

I didn't grab screenshots for this one, as this was a change we did at work, but the process is documented step by step below, so you should have no trouble following the process.

First Grab the Domain Controller Certificates

  • Log into the new vCenter over SSH (using Putty or your usual SSH tool)

  • Login as root and enter password

  • Once logged in, type 'shell' to access the BASH shell

  • Run openssl s_client -connect -showcerts (where is the Domain Controller you wish to extract the certificate from)

  • In the output, select and copy everything between (and including) ------ BEGIN CERTIFICATE------- and -------END CERTIFICATE --------- into a notepad file

  • Save the notepad file as

  • Repeat for (ie add a 2nd Domain Controller) for resilience

Take a snapshot of vCenter

  • Shutdown vCenter

    • In a Linked Mode Domain, shut down ALL vCenters and snapshot all of them at the same time, to ensure a consistent state in the event rollback is required.

  • Take a snapshot

  • Power on vCenter

  • It is good practise to have other methods of restoration, such as the built in backup feature in the event rollback is required

Removing the old identity source

  • Menu (3 bars) → Administration → Single Sign On → Configuration → Identity Provider → Identity Sources

  • Select the IWA Identity Source

  • Click Remove

Add the AD over LDAPs Identity Source

  • Menu (3 bars) → Administration → Single Sign On → Configuration → Identity Provider → Identity Sources → Add

  • Change Identity Source Type to Active Directory over LDAP

  • Name = Enter a friendly identifier for the domain (can be anything - eg LDAPS connection to

  • Base DN for users: dc=lab,dc=com

  • Base DN for groups: dc=lab,dc=com

  • Domain name:

  • Domain Alias: Enter the NetBIOS name for your domain

  • Username: (Service account setup specifically for vCenter LDAP access. Needs at least read access to the Base DN locations

  • Password: password for the above account

  • Connect to: Specific domain Controllers

    • Primary server URL: ldaps://

    • Secondary server URL: ldaps://

  • Click Browse → Add both certs you captured earlier → Click Add

  • The AD LDAPS identity source should now be added

  • Select the new identity source and click "Set as Default" → Read the warning → Ok

  • That's it, now test you can login using your AD accounts as before.

Remove snapshot

Once you have tested and happy that everything is working, don't forget to remove your vCenter snapshot(s).

Enhanced Linked Mode

When running Enhanced Linked Mode all Domain Controllers in the SSO domain will pick up the Identity Source Change.

31 views0 comments

Recent Posts

See All

Patching ESXi 8 from Update 1 to Update1C via esxcli

Download the patch file In the VMware Portal, navigate to, select ESXi (Embedded and Installable) as the product, select 8.0 as the version, then click Search.

Installing ESXi 8.0 U1 step by step

I am installing ESXi 8.0 U1 in my homelab. The installation is very straightforward, but i though i would write a guide to document the process. Nested Lab Step: I have created a VM and configured it

Installing vCenter 8.0.2 - Step by step

Pre-requisites This guide runs through the install of the VCSA version of vCenter 8.0.2 using the standard GUI installer method. Note that the ISO must be mounted on a workstation, in order to depl


bottom of page