AD Authentication in vCenter SSO 5.5

AD Authentication in vCenter SSO 5.5

With the recently released VMware vSphere 5.5, the component Single-Sign-On (SSO) has been completely rewritten. The biggest change is that the RSA database has been removed, which eliminates much of its complexity. There is also a new identity type (Active Directory (Integrated Windows Authentication)) that works without specifying the AD Controllers directly, like the old vSphere 4.x / 5.0 authentication. The whole process is much easier. This post shows how to enable Active Directory Authentication within the new vSphere 5.5 Single-Sign-On. If you are using vSphere 5.1, read this post.

The method shown in this post allows you to manage users and groups in your central directory. This works for both, the vCenter Server 5.5 installed on Windows Server and the vCenter Server Appliance (VCSA).

  1. Open vSphere Web Client (https://<ADDRESS&gt;:9443/vsphere-client)
  2. Login as administrator@vsphere.local
    Password (Windows): Set during installation
    Password (VCSA): “vmware”
  3. Navigate to Administration > Single Sign-On > Configuration
  4. webclient_administration sso55-configuration
  5. (If there is no Single Sign-On configuration you are probably not logged in as administrator@vsphere.local)
  6. Click the green + sign to add an identity source
    sso55-add-identity
  7. Select Identity Source Type:
    A) Windows based vCenter Server 5.5:
    Active Directory (Integrated Windows Authentication)
    sso5-ad-integrated

B) vCenter Server Appliance 5.5 (VCSA):

sso5-ad-ldap

  1. Click OK
  2. Back at Identity Sources your AD should appear in the list and from now on you are able to assign vCenter permissions to users and groups from your active directory. When you are using the Integrated Windows Authentication, trusted domains are also available. The functionality is very similar to vSphere 4.x and vSphere 5.0
  3. Select you Active Directory and click the “world with arrow” button to make AD to your default domain.
    sso55-defaultdomain
  4. You should get an warning telling you that “This will alter your current default domain. Do you want to proceed?”. This is okay, as you can only have one default domain.
  5. That’s it. You can now set permissions and authenticate against active directory with vCenter Server 5.5 though SSO.

To change the vCenter Server SSO configuration with other users than administrator@vsphere.local, you have to add them to the Administrator Group within SSO:

sso55-groupssso55-add-principals

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s