Integrating vCenter Server Appliance 6.5 and its ESXi hosts in Active Directory

Print Friendly, PDF & Email

In this post we will be able to see how to configure authentication against our Active Directory in the VMware vSphere virtual platform. We'll enable it on the vCenter Server Appliance and ESXi hosts, so that you can assign access permissions to Active Directory users or groups. And so instead of using the default credentials (As we do wrongly); each employee will use their DA account, with the privileges that he should have, It will also be useful to see 'Who does what'.

 

Integrate vCenter Server 6.5 in Active Directory

If we have a single appliance in our virtual infrastructure with vCenter Server + PSC we will have no doubt, but if we have a vCenter Server architecture with external PSC, Authentication must be configured on this appliance!

 

We log in to the vSphere Web Client (https://FQDN-VCENTER-SERVER/vsphere-client) how Ad***********@vs*****.locto the (or an SSO admin), go to the "Administration" view.

Then to "Deployment" > "System Configuration".

 

Click on "Nodes" > We select our virtual appliance > "Manage" tab > "Settings" > "Advanced" Menu > "Active Directory" and click on "Join".

 

We indicate the domain name, Optional OU to leave the team account, Privileged username and password & Accept!

And we restart the vCSA, we can optionally see in the AD that the team account has created it perfectly.

 

Now all that remains is to assign permissions, To do so, you will enter the vSphere Web Client and the object you are interested in, or a Datacenter, a virtual machine, we can go to the “Permissions” and add the group of users or users of the Active Directory that we have in the combo and we will assign the Access Role we want, good administrator, etc… Maybe I'll put that in a future post…

 

Integrate an ESXi Host 6.5 in Active Directory

In this part we will be able to see how to make us validate with our user accounts directly on the ESXi hosts, good to connect with SSH with a Putty, or with the Host Client...

Like everything, It will be essential to have the network parameters of the hosts well configured, including DNS Server, NTP Server...

 

First things, will be to create a group in the Active Directory and assign to it the members who will be administrators of the hosts,

 

If we go on a host, in the "Configure" tab > "System" > "Authentication Services" we can put you in Pulsano domain in "Join the domain..."

 

It will ask us for the domain name and we enter the credentials of a user with join privileges, "Accept",

 

After a few seconds we will be able to see how perfectly we are already members of the domain and if we go to our AD we will see the team's account!

 

To indicate which user group can log in to each host, we will go to the "Configure" tab > "System" > "Advanced System Settings" > "Edit",

 

We filter and search for Config.HostAgent.plugins.hostsvc.esxAdminsGroup, we edit it and enter the name of the group as we have it in the AD.

 

We let a few minutes pass... And vúala! If we log in with a Putty we will see how comfortable and so everything will be well recorded, who makes that...

 

VMware Enhanced Authentication Plugin

We will be able to install the enhanced authentication add-on if we want, among other things, to be able to validate ourselves with our current computer accounts (since we assume that the Windows you work with is domain-bound) and passtrought our credentials to the vCenter.

 

If we look at the bottom left, Before validating ourselves, we can download and install it on any Windows computer, click on "Download the enhanced authentication plugin".

 

After downloading the binary, We will be able to do the installation, It has no mystery and it will take just a couple of minutes!

 

After installing it, we will see how we can already check the "Use Windows session authentication" check, with this, we will pass our credentials to the vCenter Server and we will be automatically validated!

Take into account what has been said, that our Active Directory account has to have access permissions, So before we log in, a vSphere administrator must assign us permissions on the object that interests us is a Datacenter as we said before, A cluster, A folder of virtual machines… and assign a Permissions Role on that object and that's it! we would try to enter and we will only see the objects to which we will have permissions!

 

Recommended Posts

Implementing Windows LAPS
Read
Blocking access to our VMware ESXi and vCSA hosts
Read
VPN with Citrix NetScaler III - Authentication with certificates
Read
Implementing FSSOs to integrate Fortigate with Active Directory
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

NAKIVO Backup and Replication 7.3

28 November 2017

Updating Hosts with vSphere Update Manager 6.5

14 December 2017