UCF STIG Viewer Logo

The vCenter Server for Windows must use LDAPS when adding an SSO identity source.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216887 VCWN-65-000068 SV-216887r612237_rule Medium
Description
LDAP (Lightweight Directory Access Protocol) is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communications the LDAPS option must be selected when adding an LDAP identity source in vSphere SSO.
STIG Date
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2021-06-23

Details

Check Text ( C-18118r531363_chk )
Note: This requirement is applicable for Active Directory over LDAP connections and Not Applicable when the vCenter or PSC server is joined to AD and using integrated windows authentication.

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration.

Click the "Identity Sources" tab.

For each identity source of type "Active Directory", highlight the item and click the pencil icon to open the edit dialog.

If the LDAPs box at the bottom is not checked, this is a finding.
Fix Text (F-18116r366376_fix)
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration.

Click the "Identity Sources" tab.

For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click the pencil icon to open the edit dialog. Check the box at the bottom for LDAPS and click "Next". Click the green plus button to upload the trusted DC certificate or click the magnifying glass to extract the certificate from the DC directly. Click "Next". Click "Finish".