The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an SSO identity source.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-243123	VCTR-67-000068	SV-243123r719612_rule		Medium

Description
LDAP is an industry-standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere SSO. When configuring an identity source and supplying an SSL certificate, vCenter will enforce LDAPs. The server URLs do not need to be explicitly provided as long as an SSL certificate is uploaded.

Description

LDAP is an industry-standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere SSO. When configuring an identity source and supplying an SSL certificate, vCenter will enforce LDAPs. The server URLs do not need to be explicitly provided as long as an SSL certificate is uploaded.

STIG	Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide	2022-01-04

Details

Check Text ( C-46398r719610_chk )
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory", if the "Server URL" does not indicate "ldaps://", this is a finding.

Fix Text (F-46355r719611_fix)
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click "Edit". Ensure the primary and secondary server URLs, if specified, are configured for "ldaps://". At the bottom, click the "Browse" button, select the AD LDAP cert previously exported to the local computer, click "Open", and "Save" to complete modifications. Note: With LDAPS, the server must be a specific domain controller and its specific certificate or the domain alias with a certificate that is valid for that URL.

Fix Text (F-46355r719611_fix)

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration.

Click the "Identity Sources" tab.

For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click "Edit".

Ensure the primary and secondary server URLs, if specified, are configured for "ldaps://".

At the bottom, click the "Browse" button, select the AD LDAP cert previously exported to the local computer, click "Open", and "Save" to complete modifications.

Note: With LDAPS, the server must be a specific domain controller and its specific certificate or the domain alias with a certificate that is valid for that URL.