vCenter Domain Authentication

vCenter Domain Authentication KB ID 0001854

Problem

Note: This procedure uses vCenter 8.0 Update 2, (the process is the same for vSphere 7).

When you setup your VCSA you will have configured SSO, in most cases accepting the default SSO domain of vsphere.local. But If you want to log into VMware you probably want your identify source to be AD (to use you existing usernames and passwords).

Note: In this example I will grant administrative access to the domain admins group, in production you probably will want to create some new AD groups and look at the principles of least privilege.

Update: 24/10/24 Note: People see the following information.

Integrated Windows Authentication will be depreciated in vSphere 7.0

And think they cannot do Domain or Active Directory authentication and RBAC anymore. THAT IS NOT THE CASE, IWA was developed back when we had vCenter running on Windows machines not appliances, this carried on into VCSA but then it had to be joined to a domain like so, it made sense THEN to have IWA, NOW we can simply use LDAP/LDAPS.

Solution: vCenter Domain Authentication

Once logged into vCenter, changing views is done by clicking the ‘three lines’ at the top left of the screen, navigate to Administration > Single Sign On > Configuration > Identity Provider > Active Directory Domain > Join AD.

Join vCenter to Domain

Supply the domain name and some credentials that have the rights to join a machine to the domain > Join.

Join vCenter to AD

Nothing Happens! Don’t worry that’s normal, nothing will change (and you can’t’ progress) until you’ve rebooted the VCSA.

Reboot VCSA

While its rebooting you can check in you AD and you will see the computer object has been created for the VCSA.

vCenter in AD VCSA

Have some patience, once the VCSA has rebooted and all the services are back online you will see the display has changed to show the domain information, you can now proceed.

Check vCenter domain membership

Identity Source > Add.

vCenter Identity Source Windows

Change the drop down to Active Directory over LDAP.

vCenter Active Directory over LDAP

Enter the details to join the domain, the account you use to ‘bind’ to active directory can be a simple ‘domain user’. Fill in the fields and select ‘Add’.

vCenter Active Directory over LDAP

Now select the domain you just added and ‘set as default > confirm by pressing ‘OK’.

vCenter Active Directory Set Default

Users and Groups > Groups > Select Administrators > Edit.

vCenter Active Directory Group Authentication

Change the domain to your AD domain > Search for Domain Admins > Add that group.

vCenter Domain Adminis Group Authentication

You can now authenticate into the VCSA with an account thata is a member of that AD group.

vCenter Domain Adminis Group Authentication

 

Related Articles, References, Credits, or External Links

(vSphere 6) vSphere – Adding Domain Users/Groups to vCenter

Deploying and Configuring The vCenter Server Appliance

 
 

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *