Wednesday, 10 May 2017

Add vCenter to domain with Single sign on

How to Join AD Domain in vCenter Server Appliance 6.0 (vCSA)

In vSphere 6.0 the vCenter Server Appliance (vCSA) has been changed a lot. Joining an Active Directory Domain is now included in the infrastructure node configuration which is part of the Platform Services Controller. Please note standard AD requirements like time synchronisation and naming. You can't join an AD if you've set an IP address as name during the VCSA guided installer.

  1. Open vSphere Web Client (https://[vcenter]/vsphere-client)
  2. Login as Single Sign-On Administrator (Password set during installation)
  3. Navigate to Administration > Deployment > System Configuration
    vsphere60-web-client-administration vsphere60-web-client-system-configuration
  4. Open Nodes and select the infrastructure node that is associated with Single Sign-On
  5. Navigate to Manage > Advanced > Active Directory
  6. Click Join...
  7. Enter AD domain information
  8. Press OK
  9. Reboot the Appliance
When the appliance comes back up it is now part of the Active Directory Domain. The next step is to configure the AD as identity source to login to the vCenter with AD credentials.

  1. Open vSphere Web Client (https://[vcenter]/vsphere-client)
  2. Login as Single Sign-On Administrator (Password set during installation)
  3. Navigate to Administration > Single Sign-On > Configuration
    vsphere60-web-client-administration vsphere60-web-client-sso-configuration
  4. Open the Identity Sources tab
  5. Click the green + to add an identity source
  6. Select Identity Source Type:
    A) Active Directory (Integrated Windows Authentication)
    This option works with both, Windows-based vCenter Server and vCenter Server Appliance. The underlying system (Windows Server or Infrastructure node of Platform Services Controller) has to be a member of the Active Directory domain.
    vsphere60-web-client-sso-ad-authB) Active Directory as a LDAP Server
    If the underlying system is not part of the Active Directory domain.Fill out the remaining fields as follows:
    Name: Label for identification
    Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is virten.lab the DN for the entire directory is "DC=virten,DC=lab".
    Domain name: Your domain name. Example: "virten.lab"
    Domain alias: Your netbios name. Example: "virten"
    Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
    Primary server URL: AD Server URL. You can either query the local directory (Port 389), or the global catalog (Port 3268). Example: "ldap://dc01.virten.lab:3268"
    Secondary Server URL
    Username: A user in the AD Domain with at least browse privileges. Example virten\vcenterssovsphere60-web-client-sso-add-ldap-server
    Press Test Connection to verify AD connection
  7. Click OK
  8. Back at Identity Sources your AD should appear in the list and from now on you are able to assign vCenter permissions to users and groups from your active directory.
  9. Select you Active Directory and click the world with arrow button to make AD to your default domain.
  10. To login with AD users, you have to set permissions. To add a AD user as global Administrator navigate to Administration > Access Control > Global Permissions
  11. Click Add permission
  12. Click Add...vsphere60-web-client-add-permission-add
  13. Select the Active Directory domain under Domain, choose a user and press Add
  14. Press OK twice
You can now login to the vSphere 6.0 vCenter with your Active Directory Account.


No comments:

Post a Comment