WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / VCSA / vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JXplorer

vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JXplorer

05.01.2015 by William Lam // 7 Comments

I have written about using JXplorer before which is a free LDAP browser utility that can connect to vCenter SSO's vmdird (VMware Directory Service) which you can find more details here. In vSphere 6.0, there are a couple of minor changes you will need to be aware of if you need to connect to SSO which is now located in the Platform Services Controller. The first change is that port 11711 is no longer used and has now changed to 389 when performing a fresh install of vSphere 6.0, else the port will be preserved as noted in the comments section. The second change when using JXplorer to connect to the vmdird is that BaseDN property is no longer needed and if you try to specify it, you will not be able to connect.

Here are the updated instructions to connect to vmdird in vSphere 6.0 which is now located in the PSC or in an embedded deployment.

Disclaimer: Please take extreme caution when connecting to the vmdird database, this is primary for educational purposes. You should take extreme care in making changes while in the database else you can negatively impact your environment.

Host: Hostname/IP Address of PSC
Protocol: LDAPv3
Port: 389
Level: User + Password
User DN: cn=Administrator,cn=Users,dc=vghetto,dc=local
User DN: SSO Admin Password

jexplorer-platform-service-controller-1
In addition, I also wanted to also mention a couple more tidbits that could come in handy when connecting directly to the vmdird, especially in a troubleshooting scenario. The first is finding the SSO Domain Name which is displayed by expanding the tree, in my environment it is called vghetto.local and the second is finding the SSO Site Name which is under "Configuration->Sites" which can be seen in the screenshot below.

On top of that, if you wish to find all deployed PSC's, you can do so by expanding "Configuration->Sites->Servers" and by expanding each of those sub-entries you can also see if they are replicating to other PSC's.

jexplorer-platform-service-controller-3
If you wish to find all deployed and connected vCenter Servers associated with the current PSC, you can expand "Computers".

jexplorer-platform-service-controller-2

  • vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
  • vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
  • vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
  • vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
  • vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
  • vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
  • vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
  • vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
  • vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
  • vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
  • vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
  • vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC

More from my site

  • vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
  • Maximum number of vCenter Servers per Single Sign-On (SSO) Domain
  • Generating vCenter Server & Platform Services Controller deployment topology diagrams
  • Automating the configuration of new logon banner for the vSphere Web Client in 6.0 Update 2
  • How to change the default ports on the vCenter Server Appliance in vSphere 6.0?

Categories // VCSA, vSphere 6.0 Tags // jxplorer, ldap, platform service controller, psc, sso domain name, sso site name, vSphere 6.0

Comments

  1. *protectedJohnny Ferguson says

    05/01/2015 at 7:07 pm

    Good explanation. Only use the VMware CLI tools to do operations on the directory. Adding users directly wont work for example. Read only. Any tool that supports LDAPv3 such as LDAPBrowser, MMC should also work.

    Reply
  2. *protectedMT says

    05/04/2015 at 4:39 pm

    Hi William, Just one note to add - 11711 will still be showing as used by vmdird.exe and will allow connections to be made through that port. Docs say only for environments upgraded from 5.5 - http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-ECEA77F5-D38E-4339-9B06-FF9B78E94B68.html&resultof=%22389%22%20

    Reply
    • William Lam says

      05/04/2015 at 8:04 pm

      Thanks for the clarification MT

      Reply
  3. *protectedP. Cruiser says

    05/04/2015 at 5:47 pm

    Using LDP.exe on a Windows system also works. It is useful because you can enable the control to see the contents of the Deleted Objects container (https://support.microsoft.com/en-us/kb/284928), which apparently never gets cleaned up :sigh:

    Reply
  4. *protectedThomas says

    10/30/2015 at 9:52 am

    Hi William,

    Thank you for the post, it's very helpful in trying to isolate a strange issue I'm experiencing with my new vCenter 6 Windows servers w/ External PSCs. I have two sites and two vCenter servers with one PSC per Site and replication between sites. When I login to the first site via Web Client w/ AD credentials I am able to see both vCenter servers, however, if i login to the second site vCenter server w/ AD credentials I get an "Empty Inventory" error. Using the vsphere.local admin account I can see both sites on both servers, which leads me to believe it's something to do with permission replication between the sites.

    I also think it may have to do with servers names and case differences. Using the JExplorer tool I looked at the configuration tree for both sites and noticed that one of my PSCs has the replication agreement ldap URL (labledURI is the attribute value) in all lower case (srvvcpsc2vm.x.com), but the other one has the proper case format (srvVCPSC1vm.x.com). The names are properly capitalized throughout the rest of the system so I am wondering if this particular type value is throwing things off. I can only get one vCenter server at a time to work properly with AD credentials, I've even found a way to go from one to another by logging into the Web Client using the vsphere.local admin account, going to SSO Configuration, then I remove the only Local OS entry (srvVCPSC1vm) and add in a new Local OS entry for srvVCPSC2vm, when I do that I can then login to the srvVC2vm (paired with srvVCPSC2vm) server and see both vCenter servers and vice versa. I would really like to get to a point where I can login to either one and see both inventories with AD credentials. I also tried to add a second local OS entry for the second PSC (either one), but it won't allow me to add one with the existing entry.

    I did try to rename the labledURI value, but it didn't work. Any insight would be greatly appreciated, I've already talk with support, but they weren't really able to understand the issue, thus I've resorted to months of Google searches and blog posts.

    Reply
    • William Lam says

      11/03/2015 at 12:09 pm

      Thomas,

      I would recommend filing an SR w/VMware GSS to troubleshoot further. I would not recommend modifying PSC DB as it could further impact your env.

      Reply
  5. *protectedjerry says

    09/10/2020 at 9:32 pm

    William Lam, sts expired ,update certificate form certool sts is not vaild

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...