VMware vSphere 7 and VCSA allow us to configure Active Directory (AD) integration. You can join to Microsoft AD vCenter server appliance (VCSA) and also your ESXi hosts. We'll have look in our post what's the details, how it's done and the main advantages.
To access vCenter Server, users must log in using SSO domain user accounts or user accounts from identity sources registered in SSO. After a fresh deployment of VCSA you only have the local OS identity source available. If you want to add an external Identity source you have to configure it.
There is the default SSO domain which name is vSphere.local and which is the only one predefined. However, during the initial installation, you can use a different name instead. It's not hardcoded like in 5.5.
vSphere 7 supports different types of identity sources.
- Microsoft AD over LDAP—SSO supports multiple AD over LDAP identity sources
- AD over LDAPS—secure connection by using SSL to the LDAP (LDAP secure)
- Microsoft IWA (Integrated Windows Authentication) – You're allowed to specify a single AD as an identity source. This option allows users to log in to the vCenter Server using your AD accounts.
- Open LDAP—vCenter SSO supports Open LDAP 2.4 and later; multiple Open LDAP identity sources are supported.
Before you can add an integrated Active Directory identity source, you need to ensure that the server where SSO is installed is in the domain. If not you'll not be able to add an AD. To do so, simply go to Administration > system configuration > nodes. Then select the node > Manage tab > select Active directory > Join.
Then only, you can add your AD as an identity source. To do so just go to Shortcuts > Administration.
Click the Single Sign-On section and Configuration. On the Identity provider tab, click Active Directory Domain > Join AD.
You'll need to enter:
Domain name – FQDN
Use Machine account – select this (most easier) to sue the local machine account as the server principal name. However, if you're planning to rename your VCSA, don't use this option.
Use Service Principal Name (SPN) – use this if you prefer to specify an unique SPN of using the machine name. You must provide also an SPN name and password.
You'll need to reboot your VCSA.
You can configure a default domain for SSO. The default SSO domain allows users to authenticate without identifying a domain name. Users from other identity sources must identify the domain name during authentication.
You can add LDAP autentication source too. In order to use OpenLDAP for authentication, you'll ned one or more LDAP authentication sources to be added to vCenter server. There are quite a few requirements, such as that the the OpenLDAP schema must be RFC 4519 compliant. All users must have the object class inetOrgPerson, or all groups must have the object class groupOfUniqueNames.
You can use the sso-config utility to add or remove an identity source.
- Use SSH or another remote console connection to start a session on the vCenter Server system.
- Log in as root.
- Change to the directory where the sso-config utility is located.
- Refer to the sso-config help by running
sso-config.sh -help, or see the VMware knowledge base article at https://kb.vmware.com/s/article/67304 for usage examples.
Find other chapters on the main page of the guide – VCP7-DCV Study Guide – VCP-DCV 2021 Certification,
Thanks for reading and stay tuned for more…
Direct VMware Download/buy links:
- VMware vSphere 7.0 Essentials PLUS
- VMware vSphere 7.0 Essentials
- VMware vSphere 7.0 Enterprise PLUS
- vSphere Essentials Per Incident Support
- Upgrade to vSphere Enterprise Plus
- VMware Current Promotions
More posts from ESX Virtualization:
- vSphere 7 U2 Released
- vSphere 7.0 Download Now Available
- vSphere 7.0 Page [All details about vSphere and related products here]
- VMware vSphere 7.0 Announced – vCenter Server Details
- VMware vSphere 7.0 DRS Improvements – What's New
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster