Migrating from an Active Directory as LDAP identity source to an Active Directory identity source

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article provides information on manually migrating an Active Directory as a LDAP identity source (the Active Directory identity source in vSphere 5.1) to an Active Directory (Integrated Windows Authentication) identity source.

In vCenter Server 5.1, vCenter Single Sign-On (SSO) 5.1 is used and the only identity source for Active Directory integration was to use LDAP(s) server connections.
In vCenter Single Sign-On 5.5, Active Directory is integrated with the use of a Service Principal Name (SPN) that functions as the secure token service and supports LDAP(s) servers for Active Directory authentication to provide backward compatibility when upgrading from vSphere 5.1 to vSphere 5.5.

Environment

VMware vCenter Server 5.5.x
VMware vSphere Web Client 5.5.x

Resolution

Prerequisites:

Ensure to review the differences between Use machine account and Use SPN in the Active Directory Identity Source Settings section of the vSphere Installation and Setup Guide.
- Depending on business restrictions, the use of an Service Principal Name (SPN) may be the required for configuring the Active Directory (Integrated Windows Authentication) identity source.
- An SPN account is required if you are adding an Active Directory (Integrated Windows Authentication) identity source for a domain that has no trust relationship with the current domain of vCenter Server.
  
  Note: For configuring an SPN for use with creating an identity source, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).
Ensure that you have joined vCenter Server to an Active Directory domain. For more information, see the Microsoft TechNet article How to Join Your Computer to a Domain.

Note: The preceding link was correct as of September 19, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.

To migrate an Active Directory as a LDAP identity source to an Active Directory (Integrated Windows Authentication) identity source:

Log in to the vSphere Web Client as the SSO administrator, [email protected]. By default, the vSphere Web Client URL is:

https://vCenter_Server_FQDN:9443/vsphere-client
Click Administration.
If closed, expand Single Sign-On by clicking on the arrow to the left.
Click Configuration.
Click the Identity Sources tab.
Click the current Active Directory as a LDAP Server identity source. This is denoted by ActiveDirectory under the Type column.
Click the Edit Identity Source icon ( ) under the options menu.
In the Edit identity source window, review the Domain name and Username fields. These are used to create the new Active Directory identity source.

For example:

Note: Before proceeding, take a screen shot of the above configuration information.
Remove the current Active Directory as a LDAP Server identity source by selecting the identity source and clicking the Delete Identity Source icon ( ) under the options menu. Click Yes to remove the identity source.

Note: After deleting the Active Directory as a LDAP Server identity source, no users part of that domain can authenticate with vCenter Server or vCenter Single Sign-On.
Click on the Add Identity Source icon ( ) under the options menu.
Select the Active Directory (Integrated Windows Authentication) option.
Review the Domain name field. It is automatically propagated with the domain name observed in Step 8.

Notes:
- If the Domain name field is propagated with WORKSTATION, see Adding an Active Directory identity source in vCenter Single Sign-On 5.5 fails with the error: The host is required to join to domain [domain.local] but joined to [null] (2058919).
- If required, ensure that an SPN account has been created.
Select the appropriate option to function as the VMware Identity Manager provider to finalize the identity source creation. This provider is used to query the Active Directory user and group information.

For example:
- The Use machine account option uses the local machine account if the system has been joined to the appropriate domain.
- The Use SPN option requires a specific account to be used to authenticate with the identity source. If using this option, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).
Click OK.

Note: Using the [email protected] account, verify that you are able to add new account from the domain within vCenter Server. Also, verify that existing users within vCenter Server are able to log in again.