Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

ADDING AND CONFIGURING VMWARE VSPHERE VCENTER SSO ACTIVE DIRECTORY AS LDAP SERVER

September 21, 2016 11:09PM

After installing my new vCenter Server in my office every time I was using Administrator@vsphere.local account to login into vCenter server Including my colleagues. (After Installing vCenter server there is default vsphere.local SSO directory service created in PSC (Platform Service Controller), vCenter Single Sign-On (SSO) is an authentication broker and act as a security token exchange.  Currently users in vsphere.local domain user Administrator has complete global rights and privileges). I wanted to add my Microsoft Active Directory Users and Groups on Vcenter so I can assign permissions accordingly to monitor and audit vcenter tasks and events. Before starting adding my domain in PSC (Platform Service Controller ) vCenter SSO (Single Sing On), I have configured few users and group in Microsoft AD before hand, My AD domain name is vcloud-lab.com. I have created one group named vCenterAdmins and all my vCenter administrators users are member of this group as shown in below screenshot.
Deploy install VCSA (vCenter server appliance 6.5) on VMWare Workstation

Active Directory Users and Groups vCenter Users and vcenter Admins groups

SSO administration and configuration can be done through vSphere web client, It is not available in old vsphere desktop client version, Link for vSphere web client is https://vcenter FQDN or IP/vsphere-client.  Administrator@vsphere.local password is the same one while installation of vcenter server. Complete step by step installation can be found on this link PART 2 : VCENTER SERVER 6.0 INSTALLATION ON WINDOWS 2012 R2vcenter vsphere vmware single sign on administrator@vsphere.local

Once logged in successfully on the Home page in the left side navigator pane click Administration, It launches SSO administration part.vcenter vmwere vsphere web client sso administration and configuration

On the Left side expand Single Sign-On >> Configuration >> Identity Sources >> click Green + button. Here are other SSO configuration can also be done like SSO user password policies, certificate and etc. vcenter vmware vsphere administrator single sign on configuration identity sources

In the Add identity source popup box, choose Active Directory as an LDAP Server, Make sure you correctly filling up all the information.
Name: Active directory domain name
Base DN for users: This is location OU or container where Users reside.
Domain Name: Active directory domain name
Domain alias: Active directory netbios name
Base DN for users: This is location OU or container where Group reside.
Primary Server URL: ldap://vcloud-lab.com:389 (if this secure connection use ldaps://vcloud-lab.com:686 (Change vcloud-lab.com with your domain name))
Secondary  Server URL: for redudancy purpose add other domain controller ldap url.

Username: AD account name 
Passoword: AD account password vmware sso Add identity source domain name base dn, Active Directoy as an LDAP Server connection established

Here if you are unsure about DN (distinguised name) You can find it in active directory, Open Active Directory users and computers (DSA.MSC).Here once I right click on the OU where my USERS and Groups reside, (in my case both are in same vcloud-users OU), right click for properties, go to Attribute Editor tab, find distinguishedname, select it and click view, copy the string (4th point) and use in above Add identity source screenshot. (If Attribute Editor tab is not visible go to view menu bare in the top and click advanced options) 

 active directory find distinguised name of any object in attribute editor

I am making newly added domain default. Click on the domain, click on the default button as below screenshot, There is warning message, This will alter your current default domain. Do you want to proceed? Press yes to proceed. (By doing this I don't require to specify domain while log in)vmware vsphere vcenter web client, sso identity sources default domain

Next is assigning permissions on the vcenter objects. Click on the Home button to explore inventory, choose Hosts and Clusters, select vcenter server in the left navigator pane. 

vmware vsphere web client home of vcenter, hosts and clusters

Once vcenter is selected (In my case I am providing access on complete vcenter, It is also possible to provide access on virtual datacenter, esxi host or virtual machines, Networks or datastore for isolated access provisioning). Select Manage tab, then click Permissions button, there is green + plus icon, click it, Next screen is populated for Roles (There are several default roles comes with vcenter ie read only, Administrator), I am intending to provide Administrator access to users and groups, which will be propagated to all the object below once Propagate to children button pressed. Click Add button to add users or group whom Administrators roles need to assign. In the Domain drop down box select newly added active directory domain. As in the first screenshot in this article, for time of ahead I have already created one Group vCenterAdmins, and all my vcenter administrator users are member of this group. I will search required group and add it, clicking ok twice will apply permission.

vmware vsphere web client add manage permissions administrator, groups, users, propogate

Added group should looks like below.

vcenter server add permissions assign roles Add permissions users and groups

I will now confirm Domain Group has been added and it has sufficient permissions also Administrator role is assigned, they are defined on vcenter object and its children. vmware vsphere web client manage permissions user groups administrator propagate to children

Now I will just logout of the vsphere web client clicking right side upper corner clicking on the Administrator@vsphere.local, and  will try logging with domain user to verify. vsphere web client domain user login

Here on the top right side I can see i am logged in with domain account user, I can create or modify some objects in vcenter and verify I have assigned correct roles and privileges. vcenter vmware vsphere web client successful login with domain user

Go Back

Thank you for the beautiful explanation. I have a similar configuration. But then the user can login to the vcenter only if he is a member of the OU along with the Group as in your scenario. But if he is only a member of the VMware Admin Group, then the user cannot login.

Just in your case if vcenteruser is not a member of vcloud users, will the user be able to login. Because he is already a member of vcentrgroup and this OU is added.

Thank Sunil, for comments.

As discussed on the chat it looks like bug but not sure, need to check with VMware.



Comment