In my one of the earlier article I shown ADDING AND CONFIGURING VMWARE VSPHERE VCENTER SSO ACTIVE DIRECTORY AS LDAP SERVER, That was one of the security best practices, Here I am going to perform the same task but will use Active directory integrated windows authentication way instead. For this few more steps need to configured on vCenter server. First step is vCenter server need to join into Active directory. Login onto vCenter server, click home icon button.
1. Under Administration, click System Configuration icon.
2. Click vCenter server in the Navigator.
3. On the right side, choose Manage tab.
4. In the Settings from list select Active Directory.
5. Click Join button.
6. Type Domain name, User name and password (user must have permissions to join computers in AD). After pressing ok, reboot the vCenter node manually to apply these changes.
Once server is restarted, check domain shows active directory name successfully.
Deploy install VCSA (vCenter server appliance 6.5) on VMWare Workstation
Next start configuring vSphere PSC SSO. these steps are as same as joining computer into domain.
1. Click home button on the top.
2. Choose Administration to open advanced PSC (Platform services controller) settings.
3. In the navigator, click configuration.
4. On the right hand side, click the Identity sources,
5. Click + plus button to open Add identity Source wizard.
6. On the Identity source wizard, keep default in Select identity source type and keep checked 'Active Directory (Integrated Windows Authentication)' option.
Next steps are self explanatory, Provide Active directory domain name (Keep checked use machine account - The above configured account - join vCenter server into domain). On Ready to complete, validate settings and click Finish.
Active directory domain can be seen added in identity Sources, Make it default by clicking world icon with right side arrow.
Here I am configuring extra steps and adding Active directory domain user in administrators group on SSO.
1. Click Users and Groups in the Navigator pane.
2. In the Groups tab, select Administrators group.
3. Click Add Group members button, This opens Add Principals wizard.
4. In the Add Principals Wizard, type user or Group name,
5. Click Add button, this will shown on users text box.1
6. Click Ok.
7. In the Group Members you will see, user is added in the list, now this user can perform administrative task on SSO.
Next permissions can be assigned on Roles and Global permissions, or vCenter object and entities.
How does this help me to improve forensic insights with Audit-Quality Recording enhanced Logging, Collect logs about user activities so that IT teams can understand who did what, when, and where in the incident of a security threat or irregularity. Check task and event information to view complete information. As below screenshot I can clearly check and audit exactly what changes has been done by whom. This is very good from troubleshooting issues perspective. To see the demo, I have logged in with AD user. and performed some task, which I can monitor in Tasks and Events.
Userful Articles
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices
