Virtual Geek

Tales from real IT system administrators world and non-production environment

Configuring a vCenter PSC Single sign-on Active directory Integrated windows authentication

January 14, 2018 02:16PM

In my one of the earlier article I shown ADDING AND CONFIGURING VMWARE VSPHERE VCENTER SSO ACTIVE DIRECTORY AS LDAP SERVER, That was one of the security best practices, Here I am going to perform the same task but will use Active directory integrated windows authentication way instead. For this few more steps need to configured on vCenter server. First step is vCenter server need to join into Active directory. Login onto vCenter server, click home icon button.

1. Under Administration, click System Configuration icon.
2. Click vCenter server in the Navigator.
3. On the right side, choose Manage tab.
4. In the Settings from list select Active Directory.
5. Click Join button.
6. Type Domain name, User name and password (user must have permissions to join computers in AD). After pressing ok, reboot the vCenter node manually to apply these changes.

Once server is restarted, check domain shows active directory name successfully.
Deploy install VCSA (vCenter server appliance 6.5) on VMWare Workstation

vmware vsphere web client psc sso single sign-on, system configuration, management join appliance to active directory, Nodes and services, domain, Organizational unit

Next start configuring vSphere PSC SSO. these steps are as same as joining computer into domain.
1. Click home button on the top.
2. Choose Administration to open advanced PSC (Platform services controller) settings.
3. In the navigator, click configuration.
4. On the right hand side, click the Identity sources,
5. Click + plus button to open Add identity Source wizard.
6. On the Identity source wizard, keep default in Select identity source type and keep checked 'Active Directory (Integrated Windows Authentication)' option.

vmware vsphere web client, administration configuration sso psc, Platform services controller, identity sources, Active Directory, integrated windows authentication

Next steps are self explanatory, Provide Active directory domain name (Keep checked use machine account - The above configured account - join vCenter server into domain). On Ready to complete, validate settings and click Finish.

vmware vsphere web client, add identity sources, domain name, service principal name spn, psc platform services controller, sso- single sign on

Active directory domain can be seen added in identity Sources, Make it default by clicking world icon with right side arrow.

vmware vsphere web client, sso, psc, platform service controller, single sign on, configuration identity sources, certificates, saml service providers, policies, Active directory configuration default domain

Here I am configuring extra steps and adding Active directory domain user in administrators group on SSO. 
1. Click Users and Groups in the Navigator pane.
2. In the Groups tab, select Administrators group.
3. Click Add Group members button, This opens Add Principals wizard.
4. In the Add Principals Wizard, type user or Group name,
5. Click Add button, this will shown on users text box.1
6. Click Ok.
7. In the Group Members you will see, user is added in the list, now this user can perform administrative task on SSO.

vmware vsphere web client home, psc, platform services controller sso users and groups configuration, administration, add group members, administrators.png

Next permissions can be assigned on Roles and Global permissions, or vCenter object and entities.

How does this help me to improve forensic insights with Audit-Quality Recording enhanced Logging, Collect logs about user activities so that IT teams can understand who did what, when, and where in the incident of a security threat or irregularity. Check task and event information to view complete information. As below screenshot I can clearly check and audit exactly what changes has been done by whom. This is very good from troubleshooting issues perspective. To see the demo, I have logged in with AD user. and performed some task, which I can monitor in Tasks and Events.

vmware vsphere vcenter 6.5 esxi, enhanced logging, tasks and events, monitor log who changed what

Userful Articles
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices

Go Back