Active Directory Authentication in VMware vRealize Log Insight
Article ID: 345653
Updated On:
Products
VMware Aria Suite
Issue/Introduction
VMware vRealize Log Insight supports three authentication mechanisms for the web user interface:
- Local authentication
- Active Directory authentication
- VMware Identity Manager SSO authentication (beginning with release 4.3)
This article describes the username formats supported for Active Directory authentication.
Environment
VMware vRealize Log Insight 3.3.x
VMware vRealize Log Insight 3.0.x
VMware vRealize Log Insight 4.3.x
VMware vRealize Log Insight 2.5.x
VMware vRealize Log Insight 3.6.x
VMware vCenter Log Insight 2.x
VMware vRealize Log Insight 2.5
VMware vRealize Log Insight 4.5.x
VMware vRealize Log Insight 4.0.x
VMware vCenter Log Insight 1.x
VMware vRealize Log Insight 3.0.x
VMware vRealize Log Insight 4.3.x
VMware vRealize Log Insight 2.5.x
VMware vRealize Log Insight 3.6.x
VMware vCenter Log Insight 2.x
VMware vRealize Log Insight 2.5
VMware vRealize Log Insight 4.5.x
VMware vRealize Log Insight 4.0.x
VMware vCenter Log Insight 1.x
Resolution
Active Directory authentication in VMware vRealize Log Insight works by specifying a domain and binding users credentials. With this information, vRealize Log Insight performs a DNS lookup of the domain specified to determine the domain controllers responsible for the specified domain. The binding user information is used to add Active Directory users and groups to Log Insight.
After Active Directory is configured on vRealize Log Insight and the appropriate users and groups are added, log in to vRealize Log Insight using appropriate Active Directory credentials. It is important to understand the formats the vRealize Log Insight accepts when attempting to authenticate against the Web UI.
These are the only supported formats to log in to a Log Insight instance:
- username - If only a username is provided, then vRealize Log Insight attempts to authenticate the user against the local users defined first.
- If the username is not found locally and Active Directory integration is configured then vRealize Log Insight attempts to authenticate the user against Active Directory. If authentication against Active Directory fails then the user is unable to log in to vRealize Log Insight.
- If the username is found locally, but the password is unsuccessful and Active Directory integration is configured then vRealize Log Insight attempts to authenticate the user against Active Directory with the UPN username@defaultdomain. If authentication against Active Directory fails then the user is unable to log in to vRealize Log Insight.
- domain\username - If a username is specified in this format then it is assumed to be an Active Directory user. It is also assumed that the domain specified is a valid Active Directory domain with domain controllers. If the domain specified is not the default domain specified in the Active Directory configuration, then vRealize Log Insight still sends the request to the default domain specified.
- If trusts are established between the default domain specified and the domain the user is defined in, then authentication succeeds if the password specified is correct.
- If trusts are not established between the default domain specified and the domain the user is defined in, then authentication fails.
- username@domain - If a username is specified in this format then it is assumed to be an Active Directory user. It is also assumed that the domain specified is a valid Active Directory domain with domain controllers. If the domain specified is not the default domain specified in the Active Directory configuration, then vRealize Log Insight still sends the request to the default domain specified.
- If trusts are established between the default domain specified and the domain the user is defined in, then authentication succeeds if the password specified is correct.
- If trusts are not established between the default domain specified and the domain the user is defined in, then authentication fails.
- domain\username@upn - If a username is specified in this format then it is assumed to be an Active Directory user. It is also assumed that the domain specified is a valid Active Directory domain with domain controllers. If the domain specified is not the default domain specified in the Active Directory configuration, then Log Insight still sends the request to the default domain specified. This format is necessary when the User Principal Name (UPN) for a user is not a valid domain with domain controllers. If the UPN is a valid domain with domain controllers, then use the format in the next bullet.
- If trusts are established between the default domain specified and the domain the user is defined in, then authentication succeeds if the password specified is correct.
- If trusts are not established between the default domain specified and the domain the user is defined in, then authentication fails.
Restrictions
- The Administrator account does not have a UPN defined by default. Either edit the account to add a UPN, such as [email protected], or use one of the other username formats.
- It is not possible to authenticate to a Log Insight instance using a NetBIOS name instead of a domain name. For example, if you have an Active Directory domain called ad.example.com with a NetBIOS name defined as ad, then log in as either ad.example.com\username or [email protected]. You would not be able to log in as ad/username.
- A UPN can only be used if the UPN is a valid Active Directory domain. If the UPN is an alias for a domain then authentication does not succeed. For example, if you have an Active Directory domain called ad.example.com and a UPN defined as example.com then you would only be able to log in as example.com\username or [email protected] if example.com was a valid Active Directory domain with domain controllers.
Feedback
Yes
No
Powered by
