vSphere: Setup Domain Authentication via PSC

KB ID 0001442

Problem

If you separate your PSC (Platform Services Controller) and your vCenter, then you can setup domain authentication on your PSC.

Solution

Log into the web console of the PSC > Appliance Settings > Manage > Active Directory > Join > Supply a the domain name, a domain username and password > OK.

You will see it has been successful as now you have a ‘Leave‘ button.

Configuration > Identity Sources > Add.

Set Identity source type to ‘Active Directory (Integrated Windows Authentication)’ > Enter the domain name > ‘use machine account’ > OK.

Select the newly added domain > Click “Set as Default Domain‘.

Users and Groups > Groups > Administrators > Add.

Change the domain to your Windows domain > Search for your Group. (Note: I have created a group called VMware_Admins, you might simply want to use Domain Admins) > OK.

Select the group > Add.

Swap Over To Your vCenter Server

Select the vCenter > Permissions > Select the Administrator Role > Add.

Just as above, change domain and search for your group then add it in.

Related Articles, References, Credits, or External Links

NA

vSphere – Adding Domain Users/Groups to vCenter

KB ID 0001063

Problem

Note: This article is for vSphere 6, for vSphere 7 and vSphere 8 see the following article.

vCenter Domain Authentication

Despite my best efforts to keep working with the VMware VI client, my recent move to a MAC has finally forced me to start using the web client. So when I rebuilt my vCenter this week, I went out of my way to use that.

Note: If you have your vCenter and Platform Services Controller (PSC) separated, the use the following article instead;

vSphere: Setup Domain Authentication via PSC

Solution

I’m assuming you have a default install of vCenter and you have also installed the SSO options (this would be the default). You should also have taken note of the administrator@vsphere.local password you entered when you installed vCenter.

1. Log into the vCenter with the vSphere Web Client, as administrator@vsphere.local

URL will be https://{IP or Hostname}:9443

Navigate to Administration > Single Sign On > Configuration > Identity Sources > Select your domain and set it as the default domain.

2. Note: If your domain is not listed (you didn’t add it during the install of vCenter for example), then simply add it first.

3. Users and Groups > Groups > Administrators > Add > Change the domain to yours > Locate the user (or group) > Add > OK.

4. Now you need to grant rights, the simplest way is to grant rights at the vCenter level, and then those rights will cascade down to the Datacenter(s), Clusters, Hosts, and Virtual Machines.
Home > vCenter Servers > Select your vCenter > Manage > Permissions > Add.

5. Select the Administrator role > Add > Select your domain > Locate the users and groups you want to ad > Add > OK.

 

Related Articles, References, Credits, or External Links

Add Domain Authentication To The vCenter Server Appliance

Microsoft Edge Can’t Be Opened Using The Built-In Administrator Account

KB ID 0001096 

Problem

Not only the built in administrator account, if you try and open Microsoft Edge whilst logged in as the Domain Administrator you will also see the same error message.

To be honest this is a good thing, you shouldn’t be doing something potentially dangerous like going on the Internet as the administrator anyway. However for my test Windows 10 machine on the bench I’m not really bothered, I just want it to work,

Solution

Enable Microsoft Edge for Administrators (one machine)

1. From the Start/Run menu type and execute secpol.msc (local security policy editor).

2. Navigate to;

[box]Security Settings > Local Policies > Security Options > User Account control: Admin Approval Mode for the Built-in Administrator account[/box]

3. Set the policy to ‘Enabled’ >Apply > OK.

4. Reboot.

5. Boom! There it is.

Enable Microsoft Edge for Administrators (Multiple Domain Machines via GPO)

Warning: With great power comes great responsibility, if you have some test machines in one OU and you want to do this for them, thats fine. But REMEMBER this setting is a good thing DO NOT go linking this GPO to the root of your domain!

1. On a DC or a machine with the RSAT tool installed, Launch Group Policy Editor. Create a new GPO or edit and existing one.

2. Navigate to;

[box]Computer Configuration >Policies > Windows Settings > Security Settings > Local Policies > Security Options > User Account control: Admin Approval Mode for the Built-in Administrator account[/box]

3. Set the policy to ‘Enabled’ > Apply > OK.

4. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU, or simply run ‘gpupdate /force’ on the target machine, (or you could also wait a couple of hours, or simply reboot the target machines).

Enable Microsoft Edge for Administrators (one machines via the registry)

‘Home’ editions of windows have local policy editing options, for those you will have to edit the registry directly.

1. Open regedit.

2. Navigate to;

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft >Windows > CurrentVersion > Policies > System[/box] Locate and set the value of ‘FilterAdministratorToken’ (Note: You may need to create the 32-bit DWORD,) to 1.

3. Navigate to;

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System > UIPI[/box]

Locate and set the value of ‘(Default)’ to 1.

Related Articles, References, Credits, or External Links

NA