vCenter Domain Authentication

vCenter Domain Authentication KB ID 0001854

Problem

Note: This procedure uses vCenter 8.0 Update 2, (the process is the same for vSphere 7).

When you setup your VCSA you will have configured SSO, in most cases accepting the default SSO domain of vsphere.local. But If you want to log into VMware you probably want your identify source to be AD (to use you existing usernames and passwords).

Note: In this example I will grant administrative access to the domain admins group, in production you probably will want to create some new AD groups and look at the principles of least privilege.

Update: 24/10/24 Note: People see the following information.

Integrated Windows Authentication will be depreciated in vSphere 7.0

And think they cannot do Domain or Active Directory authentication and RBAC anymore. THAT IS NOT THE CASE, IWA was developed back when we had vCenter running on Windows machines not appliances, this carried on into VCSA but then it had to be joined to a domain like so, it made sense THEN to have IWA, NOW we can simply use LDAP/LDAPS.

Solution: vCenter Domain Authentication

Once logged into vCenter, changing views is done by clicking the ‘three lines’ at the top left of the screen, navigate to Administration > Single Sign On > Configuration > Identity Provider > Active Directory Domain > Join AD.

Supply the domain name and some credentials that have the rights to join a machine to the domain > Join.

Nothing Happens! Don’t worry that’s normal, nothing will change (and you can’t’ progress) until you’ve rebooted the VCSA.

While its rebooting you can check in you AD and you will see the computer object has been created for the VCSA.

Have some patience, once the VCSA has rebooted and all the services are back online you will see the display has changed to show the domain information, you can now proceed.

Identity Source > Add.

Change the drop down to Active Directory over LDAP.

Enter the details to join the domain, the account you use to ‘bind’ to active directory can be a simple ‘domain user’. Fill in the fields and select ‘Add’.

Now select the domain you just added and ‘set as default > confirm by pressing ‘OK’.

Users and Groups > Groups > Select Administrators > Edit.

Change the domain to your AD domain > Search for Domain Admins > Add that group.

You can now authenticate into the VCSA with an account thata is a member of that AD group.

 

Related Articles, References, Credits, or External Links

(vSphere 6) vSphere – Adding Domain Users/Groups to vCenter

Deploying and Configuring The vCenter Server Appliance