creating AD User in vCAC failing


If you are trying to create an AD User, and set its password, as an Advanced Service (vCenter Orchestrator Workflow) in vCAC you might get following error:

vcac_ldap_error

Unable to create a new user: InternalError: Failed to create user account… [LDAP: error code 53 – 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0 ] (Dynamic Script Module name : createUserWithPassword#6) (Dynamic Script Module name : createUserWithPassword#9)

This nice easy readable error tries to tell you, that you are not allowed to set an user password via a non-secure LDAP connection. Therefore you should check your Active Directory Endpoint settings and switch to use SSL:
vcac_ldap_error_endpoint
Be aware that a domain controller does not offer secure ldap by default!
There are two ways of enabling ldaps:

Installing a Enterprise Root CA on a domain controller enables ldaps

This is very easy as you only have to add the CA role to your domain controller, configure it by using the default values and finally reboot your server. Furthermore this will enable ldaps on all of your domain controllers.
This procedure should only be used for a test environment as it is not a good best practise to have a CA running on a domain controller.

Deploy a CA, request certificate and configure AD domain services to use this cert

Both steps are described in great detail in following post:

LDAP over SSL (LDAPS) Certificate

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.