VCP7-DCV Objective 4.3.3 – Configure Active Directory integration

VMware vSphere 7 and VCSA allow us to configure Active Directory (AD) integration. You can join to Microsoft AD vCenter server appliance (VCSA) and also your ESXi hosts. We'll have look in our post what's the details, how it's done and the main advantages.

To access vCenter Server, users must log in using SSO domain user accounts or user accounts from identity sources registered in SSO. After a fresh deployment of VCSA you only have the local OS identity source available. If you want to add an external Identity source you have to configure it.

There is the default SSO domain which name is vSphere.local and which is the only one predefined. However, during the initial installation, you can use a different name instead. It's not hardcoded like in 5.5.

NEW:

Download FREE Study VCP7-DCV Guide at Nakivo.

• The exam duration is 130 minutes
• The number of questions is 70
• The passing Score is 300
• Price = $250.00

vSphere 7 supports different types of identity sources.

• Microsoft AD over LDAP—SSO supports multiple AD over LDAP identity sources
• AD over LDAPS—secure connection by using SSL to the LDAP (LDAP secure)
• Microsoft IWA (Integrated Windows Authentication) – You're allowed to specify a single AD as an identity source. This option allows users to log in to the vCenter Server using your AD accounts.
• Open LDAP—vCenter SSO supports Open LDAP 2.4 and later; multiple Open LDAP identity sources are supported.

Before you can add an integrated Active Directory identity source, you need to ensure that the server where SSO is installed is in the domain. If not you'll not be able to add an AD. To do so, simply go to Administration > system configuration > nodes. Then select the node > Manage tab > select Active directory > Join.

Then only, you can add your AD as an identity source. To do so just go to Shortcuts > Administration.

Click the Single Sign-On section and Configuration. On the Identity provider tab, click Active Directory Domain > Join AD.

You'll need to enter:

Domain name – FQDN

Use Machine account – select this (most easier) to sue the local machine account as the server principal name. However, if you're planning to rename your VCSA, don't use this option.

Use Service Principal Name (SPN) – use this if you prefer to specify an unique SPN of using the machine name. You must provide also an SPN name and password.

You'll need to reboot your VCSA.

You can configure a default domain for SSO. The default SSO domain allows users to authenticate without identifying a domain name. Users from other identity sources must identify the domain name during authentication.

You can add LDAP autentication source too. In order to use OpenLDAP for authentication, you'll ned one or more LDAP authentication sources to be added to vCenter server. There are quite a few requirements, such as that the the OpenLDAP schema must be RFC 4519 compliant. All users must have the object class inetOrgPerson, or all groups must have the object class groupOfUniqueNames.

You can use the sso-config utility to add or remove an identity source.