After installing my new vCenter Server in my office every time I was using [email protected] account to login into vCenter server Including my colleagues. (After Installing vCenter server there is default vsphere.local SSO directory service created in PSC (Platform Service Controller), vCenter Single Sign-On (SSO) is an authentication broker and act as a security token exchange. Currently users in vsphere.local domain user Administrator has complete global rights and privileges). I wanted to add my Microsoft Active Directory Users and Groups on Vcenter so I can assign permissions accordingly to monitor and audit vcenter tasks and events. Before starting adding my domain in PSC (Platform Service Controller ) vCenter SSO (Single Sing On), I have configured few users and group in Microsoft AD before hand, My AD domain name is vcloud-lab.com. I have created one group named vCenterAdmins and all my vCenter administrators users are member of this group as shown in below screenshot.
Deploy install VCSA (vCenter server appliance 6.5) on VMWare Workstation
Configuring a vCenter PSC Single sign-on Active directory Integrated windows authentication
SSO administration and configuration can be done through vSphere web client, It is not available in old vsphere desktop client version, Link for vSphere web client is https://vcenter FQDN or IP/vsphere-client. [email protected] password is the same one while installation of vcenter server. Complete step by step installation can be found on this link PART 2 : VCENTER SERVER 6.0 INSTALLATION ON WINDOWS 2012 R2.
Once logged in successfully on the Home page in the left side navigator pane click Administration, It launches SSO administration part.
On the Left side expand Single Sign-On >> Configuration >> Identity Sources >> click Green + button. Here are other SSO configuration can also be done like SSO user password policies, certificate and etc.
In the Add identity source popup box, choose Active Directory as an LDAP Server, Make sure you correctly filling up all the information.
Name: Active directory domain name
Base DN for users: This is location OU or container where Users reside.
Domain Name: Active directory domain name
Domain alias: Active directory netbios name
Base DN for users: This is location OU or container where Group reside.
Primary Server URL: ldap://vcloud-lab.com:389 (if this secure connection use ldaps://vcloud-lab.com:686 (Change vcloud-lab.com with your domain name))
Secondary Server URL: for redudancy purpose add other domain controller ldap url.
Username: AD account name
Passoword: AD account password
Here if you are unsure about DN (distinguised name) You can find it in active directory, Open Active Directory users and computers (DSA.MSC).Here once I right click on the OU where my USERS and Groups reside, (in my case both are in same vcloud-users OU), right click for properties, go to Attribute Editor tab, find distinguishedname, select it and click view, copy the string (4th point) and use in above Add identity source screenshot. (If Attribute Editor tab is not visible go to view menu bare in the top and click advanced options)
I am making newly added domain default. Click on the domain, click on the default button as below screenshot, There is warning message, This will alter your current default domain. Do you want to proceed? Press yes to proceed. (By doing this I don't require to specify domain while log in)
Next is assigning permissions on the vcenter objects. Click on the Home button to explore inventory, choose Hosts and Clusters, select vcenter server in the left navigator pane.
Once vcenter is selected (In my case I am providing access on complete vcenter, It is also possible to provide access on virtual datacenter, esxi host or virtual machines, Networks or datastore for isolated access provisioning). Select Manage tab, then click Permissions button, there is green + plus icon, click it, Next screen is populated for Roles (There are several default roles comes with vcenter ie read only, Administrator), I am intending to provide Administrator access to users and groups, which will be propagated to all the object below once Propagate to children button pressed. Click Add button to add users or group whom Administrators roles need to assign. In the Domain drop down box select newly added active directory domain. As in the first screenshot in this article, for time of ahead I have already created one Group vCenterAdmins, and all my vcenter administrator users are member of this group. I will search required group and add it, clicking ok twice will apply permission.
Added group should looks like below.
I will now confirm Domain Group has been added and it has sufficient permissions also Administrator role is assigned, they are defined on vcenter object and its children.
Now I will just logout of the vsphere web client clicking right side upper corner clicking on the [email protected], and will try logging with domain user to verify.
Here on the top right side I can see i am logged in with domain account user, I can create or modify some objects in vcenter and verify I have assigned correct roles and privileges.