The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-94839 | VCWN-65-000068 | SV-104669r1_rule | Medium |
| Description |
|---|
| LDAP (Lightweight Directory Access Protocol) is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communications the LDAPS option must be selected when adding an LDAP identity source in vSphere SSO. |
| STIG | Date |
|---|---|
| VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide | 2019-05-22 |
Details
| Check Text ( C-94035r1_chk ) |
|---|
| From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory", highlight the item and click the pencil icon to open the edit dialog. If the LDAPs box at the bottom is not checked, this is a finding. |
| Fix Text (F-100963r1_fix) |
|---|
| From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click the pencil icon to open the edit dialog. Check the box at the bottom for LDAPS and click "Next". Click the green plus button to upload the trusted DC certificate or click the magnifying glass to extract the certificate from the DC directly. Click "Next". Click "Finish". |