Wednesday, November 6, 2013

Active Directory domain authentication missing in a new VMware vCenter 5.5 installation

I’ve been asked several times over the past month about this so I thought it would be a good idea to write a quick blog post to point my colleagues to.

Problem

You’ve just completed the installation of vCenter 5.5 onto a Windows Server 2008 R2 server and noticed that you are unable to log on with your Windows local administrator account or a domain admin account.  The only way you’re able to log in is with the SSO’s vsphere.local domain’s administrator account:

vsphere.local\administrator

… or …

administrator@vsphere.local

image

While attempting to add permissions to vCenter:

clip_image001

You notice that you can select either the local Windows’ server’s accounts or the SSO domain but the Active Directory domain which this Windows server is joined to does not show up:

image

The results are also the same when you use the vSphere Web Client:

image

Solution

It’s important to understand that the SSO component in vCenter 5.5. has been rewritten with RSA database completely removed (remember how clumsey the install for 5.1 was?)  Another change is that vCenter by default does not automatically include Active Directory authentication for vCenter as SSO continues to mature so in order to authenticate with AD credentials, you’ll need to configure it by using the vSphere Web Client.  Begin by launching a browser and go to the following URL:

https://<vCenter Server IP or Name>:9443/vsphere-client

Log in and navigate to Single Sign-On –> Configuration –> Identity Sources and click on the + sign:

image

The Add identity source window is where you will configure authentication against other directories:

image

The one we’re interested in is the Active Directory (Integrated Windows Authentication) so proceed by selecting that radio button and fill out the appropriate fields:

image

You should now see the domain you’ve configured in the Identity Sources tab and should now be able to grant permissions to users and groups in that domain for authenticating:

image

I personally find this to be a great change as we’re now able to add different types of domain for authentication whether through Windows integrated or the other options such as:

  • Active Directory as a LDAP Server
  • Open LDAP

This evidently makes it easier for a hosting provider to configure a shared vCenter to authenticate against multiple directories.

3 comments:

Anonymous said...

Great post, you really helped us out with that article. Thanks!

Deepak Kumar said...

There are a number of Free High PR Directory Submission Sites List 2014 sites thank u for Directory Submission i think it will help me

Deepak Kumar said...

There are a number of Free High PR Directory Submission Sites List 2014 sites thank u for Directory Submission i think it will help me