vSphere 5.5 SSO Integration with Active Directory

vSphere 5.5 SSO Integration with Active Directory

After getting ESXi installed on the Mac Minis and the vSphere vCenter Appliance deployed, my next step was to integrate my labs Active Directory with Single Sign On.  Based on the documentation provided on the vSphere 5.5 Documentation Center, the AD integration was a pretty simple procedure and relies on a handful of fundamental components to complete.

  1. Domain Membership
  2. SSO Service Account
  3. Identity Source
  4. Groups and Permissions
Domain Membership:

The vSphere vCenter Server must be added to the Active Directory domain if vSphere SSO Active Directory integration is going to configured.  If your vCenter is a Windows Server, it is a pretty standardized practice and a generally accepted prerequisite.

My lab is using the vCenter Server Appliance, so joining the domain is pretty simple.

  1. Connect to the vCenter Server Appliance Administration page located at https://%5BVCENTER_SERVER%5D:5480/ and login as root. 
  2. Navigate to the Authentication tab under the vCenter Server configuration
  3. Fill out the domain name with the proper credentials with the proper permissions that will allow the computer account for the VCSA to be created in AD
  4. Save Settings but don’t reboot the Appliance until the Identity Source has been set and the proper roles and permissions are configured.

Screen Shot 2013-11-03 at 4.50.55 PM.png

SSO Service Account:

One of the requirements (if you are not using a machine account) for vSphere SSO Active Directory integration is to have a Service Principal Name (SPN) in Active Directory.  To set the SPN, connect to the Domain Controller and create the Service Account for this purpose:



The SSO Service Account should be a dedicated account with the proper password expiry settings attributed to it.

Once the Service Account is created, open a command prompt as administrator on the Domain Controller and run the following command as depicted below:



Ensure that the last line of the command returns with ‘Updated object’ before moving on to the next step.

Identity Source:

Identity sources allow you to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication.

To set the identity source, ensure that the domain membership and SSOServiceAccount SPN settings are completed, then:

Login to the Web Client (https://%5BVCENTER}:9443/vsphere-client/) and connect to the vCenter Server using the administrator@vsphere.local account.  The password for the account from freshly deployed VCSA will be ‘vmware’.  Do not use & not “admin@system-domain” like you did in vCenter 5.1 SSO.


Navigate to  Home > Administration > Single Sign-On > Configuration page


Use the + sign to add your domain as a new identity source. Select ‘Active Directory (integrated Windows Authentication)’ and complete the following fields as depicted below:

Domain name, Service Principle Name (SPN), User Principle Name (UPN) and the password that you set with your created the account in Users and Computers.


If all the fields are no longer outlined in red, you have completed the them successfully and can select OK. If the settings are correct the progress bar should complete in about 30-60 seconds and there will be an additional Identity Source listed in your configuration.


Once the Active Directory domain is added as an identity source for authentication, the proper group memberships and permissions must be setup in order to see the existing vCenter inventory components.

Groups and Permissions

Staying logged in with the administrator@vsphere.local account; navigate to the ‘Users and Groups’ configuration section on the left hand side, select the Groups Tab in the middle and highlight the Administrators Group as in the picture below.  Near the bottom of the page click the ‘Add Member’ button.


When the ‘Add Principals’ wizard pops up:

  1. User the domain drop-down list to select the Active Directory Domain.
  2. Select  and highlight the Group or User account that will be used to access  and administer the vCenter Server.  I would recommend using a group membership.
  3. Use the Add button to populate the Users: or Groups: field below
  4. Select OK to make the changes.


Now that the Groups (or Users) are added into the correct group memberships (that correspond to the correct roles), the permissions to the vCenter must be applied.

Navigate to Home > vCenter > vCenters and highlight the VCSA instance name on the right hand side of the screen.  Select the Manage tab > then select the Permissions tab and use the + [Add permission] button to add the same User or Group in the above example.


Using the Select Users/Groups wizard:

  1. User the domain drop-down list to select the Active Directory Domain.
  2. Select  and highlight the Group or User account that will require permissions to administer the vCenter Server. 
  3. Use the Add button to populate the Users: or Groups: field below
  4. Select OK to make the changes.


After about 30 seconds, the additional line(s) will show up with having the proper permissions to the vCenter inventory and components.  This is the same functionality as setting roles and permissions in the traditional C# client.

Before testing out the access and permissions, remember to reboot the vCenter Server Appliance and allow the domain membership changes to take place.

After the appliance comes back up and the Web Services have started again, login to the Web Client interface and validate that the authentication and permissions are correct and functional. 


An easy way to tell is the inventory and permissions are correct is to validate on the vCenter Home whether the existing vCenters, Hosts and VMs are showing up  on the left hand side within the inventory as in the example below.


If you are running Windows, make sure to download and install the Client Integration Plug-in to enable the ability to use your currently logged in Active Directory credentials. 

Source: http://cloudcanuck.ca/blog/vsphere-55-sso-integration-with-active-directory


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s