Configuring vCenter Server Appliance 5.5 vCenter Single Sign-On with Active Directory authentication
search cancel

Configuring vCenter Server Appliance 5.5 vCenter Single Sign-On with Active Directory authentication

book

Article ID: 324737

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides supplemental information to explain domain binding requirements and configuration process for vCenter Single Sign-On in vCenter Server Appliance 5.5. For more information, review the vSphere Installation and Setup Guide.


Resolution

Validate Requirements

Validate that the vCenter Server Appliance 5.5 has network configuration and connectivity for binding to an Active Directory domain.

  1. Open a web browser and navigate to the vCenter Server Appliance Virtual Application Management Interface (VAMI). By default, the VAMI is located at: https://vCenter-Appliance-Address:5480/.
  2. Log in as root. The default password is vmware.
  3. Click the Network tab > select the Address sub-tab.
  4. Validate that the network configuration has correct DNS server(s) listed.
  5. Validate that the network configuration has a hostname defined and that the hostname is neither linux or localhost.

Test Active Directory Domain Server Lookup

Test that the vCenter Server Appliance can successfully locate an Active Directory server for a given Active Directory domain.

  1. Open the vCenter Server Appliance console or connect with SSH. To connect to the vCenter Server Appliance through SSH, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance section in the vCenter Server and Host Management Guide.
  2. Log in as root. The default password is vmware.
  3. Execute the command lw-get-dc-name (located in: /opt/likewise/bin/) to look up the Service Location (SVR) record for the Active Directory domain. You should see information about the domain, including the IP address of an Active Directory server.

    Example:

    /opt/likewise/bin/lw-get-dc-name exampledomainname.com

  4. Validate that the forward and reverse DNS entries for the listed Active Directory domain server's IP address are consistent.

Join vCenter Server Appliance 5.5 to Active Directory Domain

Configure the vCenter Server Appliance to join the Active Directory domain. After joining the domain, the vCenter Server Appliance can issue requests for users and groups on the domain.

  1. Open a web browser and navigate to the vCenter Server Appliance Application Management Interface. (https://<vCenter_Appliance_FQDN>:5480/)
  2. Log in as root. The default password is vmware.
  3. From the vCenter Server tab, select the Authentication sub-tab.
  4. Select Active Directory Enabled.
  5. Enter the Active Directory domain name.

    Example:
    exampledomainname.com.
  6. Enter the username in User Principal Name format (UPN) and password of an Administrative account on the Active Directory domain that has permissions to join the desired domain.

    Example:
    [email protected]

    Note: If enabling Active Directory fails, see Enabling Active Directory on the VMware vCenter Server Appliance 5.x fails with the error: Enabling active directory failed (2062610).

Test Active Directory Communication

Validate that the vCenter Server Appliance was correctly joined to the Active Directory domain by using a command-line tool to lookup a list of users from that domain.

  1. Open the vCenter Server Appliance console or connect with SSH. To connect to the vCenter Server Appliance through SSH, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance section in the vCenter Server and Host Management Guide.
  2. Log in as root. The default password is vmware.
  3. Execute the command lw-enum-users (located in: /opt/likewise/bin/) to query a list of user accounts for the Active Directory domain. You should see information about the user accounts, including user names.

    Example:

    /opt/likewise/bin/    lw-enum-users

Add Identity Source for Active Directory Domain in Web Client

The vCenter Server Appliance is joined to the domain successfully. Add an Identity Source for that domain in the vCenter Single Sign-On configuration.

  1. Open a web browser and navigate to the vCenter Server's vSphere Web Client. Default URL is https://<vCenter_Appliance_FQDN>:9443/vsphere-client.
  2. Navigate from Home to Administration > Single Sign-On > Configuration > Identity Sources.
  3. Click the Add an Identity Source icon.
  4. Select Active Directory (integrated Windows Authentication). Ensure that the correct domain name is propagate in the Domain Name field.
  5. Select Use Machine Account.
  6. Click OK.

    For more information on configuring Identity Sources in vSphere 5.5, see the Add a vCenter Single Sign-On Identity Source section in the vSphere 5.5 Installation and Setup Guide.

Validate User List from Active Directory Domain in Web Client

Validate that the vCenter Single Sign-On Identity Source was correctly added by using the vSphere Web Client to fetch a list of users from that Identity Source. A list of Active Directory domain user accounts should be visible.

  1. Open a web browser and navigate to the vCenter Server's vSphere Web Client. Default URL is https://<vCenter_Appliance_FQDN>:9443/vsphere-client.
  2. Navigate from Home to Administration > Single Sign-On > Configuration > Users and Groups.
  3. From the Users tab, click the drop-down next to Domain and select Active Directory domain.
  4. Observe list of domain users displayed.


Additional Information

Enabling Active Directory on the VMware vCenter Server Appliance 5.x fails with the error: Enabling active directory failed

Powered by Wolken Software