I’ve been asked several times over the past month about this so I thought it would be a good idea to write a quick blog post to point my colleagues to.
You’ve just completed the installation of vCenter 5.5 onto a Windows Server 2008 R2 server and noticed that you are unable to log on with your Windows local administrator account or a domain admin account. The only way you’re able to log in is with the SSO’s vsphere.local domain’s administrator account:
… or …
While attempting to add permissions to vCenter:
You notice that you can select either the local Windows’ server’s accounts or the SSO domain but the Active Directory domain which this Windows server is joined to does not show up:
The results are also the same when you use the vSphere Web Client:
It’s important to understand that the SSO component in vCenter 5.5. has been rewritten with RSA database completely removed (remember how clumsey the install for 5.1 was?) Another change is that vCenter by default does not automatically include Active Directory authentication for vCenter as SSO continues to mature so in order to authenticate with AD credentials, you’ll need to configure it by using the vSphere Web Client. Begin by launching a browser and go to the following URL:
https://<vCenter Server IP or Name>:9443/vsphere-client
Log in and navigate to Single Sign-On –> Configuration –> Identity Sources and click on the + sign:
The Add identity source window is where you will configure authentication against other directories:
The one we’re interested in is the Active Directory (Integrated Windows Authentication) so proceed by selecting that radio button and fill out the appropriate fields:
You should now see the domain you’ve configured in the Identity Sources tab and should now be able to grant permissions to users and groups in that domain for authenticating:
I personally find this to be a great change as we’re now able to add different types of domain for authentication whether through Windows integrated or the other options such as:
- Active Directory as a LDAP Server
- Open LDAP
This evidently makes it easier for a hosting provider to configure a shared vCenter to authenticate against multiple directories.