VMware vSphere: Active Directory Integration
Brandon Lee, posted on February 27, 2017
In the previous post, we looked at Single Sign On (SSO) and its importance in the vSphere architecture. Also, we looked at the fact that SSO can utilize Microsoft’s Active Directory as an identity source for authentication. Let’s look at the advantages of integrating with Active Directory and how this is configured.
To integrate the vCenter VCSA appliance with Microsoft Active Directory as the identity source opens up a way for vSphere administrators to be able to use a common identity source to grant access to vSphere objects as they do file servers and any other resource on the network which centralizes this process. Centralized and simple is the best strategy here for administering permissions.
There are a few steps we need to perform to join our VCSA appliance to Active Directory as an object so that we can enable the Active Directory (Integrated Windows Authentication). This option for using Active Directory allows us to pass the logged on user’s Windows credentials as authentication into the vCenter Web UI.
To setup our AD connection, we need to log in as the SSO administrator into vCenter. This is the administrator user setup during the VCSA install process. Also, keep in mind, this is not a Windows Active Directory domain user. Once you are logged into the Web UI as the SSO administrator, navigate to Administration >> System Configuration. Click the Nodes resource and then click your vCenter Server name. Click Manage >> Active Directory and then click the Join… button.
This will bring up a simple dialog box to type in the Domain, Organizational unit, Username, and Password. Once you enter the appropriate information in the dialog box, click OK and you will be prompted to reboot your vCenter appliance.
After the vCenter VCSA appliance has been joined to the domain and rebooted, we are now ready to add our Active Directory identity source. After the VCSA appliance has booted back up, go back to Administration and then click Configuration under the Single Sign-On menu. Click the Identity Sources tab and then click the “+” button to add an identity source.
We choose the Active Directory (Integrated Windows Authentication) option.
Now that we have joined our VCSA appliance to the domain, the Domain name field will be automatically populated with our domain name. We can leave the Use machine account as the default option here.
Finally, we complete the configuration of the identity source.
Now, if we notice under the identity source, we have our domain showing.
Next, we will take a look at creating Roles in vCenter and assigning privileges to those Roles and then attaching a Role to an Active Directory user.