The vCenter 5.5 VCSA has just been deployed and you want to setup LDAP authentication. For this example, we want users in the Domain Admins AD group to be able to login to vCenter with their AD credentials. To do that, here’s what is needed:
- Access to email@example.com (This account is needed to configure SSO and to configure vCenter with your AD domain)
- Access to vSphere configuration client (This is to configure initial SSO and Authentication settings)
- Access to vSphere web client
- An AD Domain
1) Configure network settings through vCenter Server Appliance web console (https://vCenter address:5480).
- Go to vCenter > Network > Address
- Configure appropriate IP configuration information. Remember the hostname field requires FQDN and DNS primary should be pointed to your DNS server.
- Go to your DNS server and add a Host A record for vCenter
2) Configure SSO through the vCenter Server Appliance web console (https://vCenter address:5480).
- Go to vCenter > SSO
- Under “SSO deployment type”, selected “Embedded”
- Configure a password
- Before you can apply your settings, you must stop the vmware-vpxd service or your settings will not take. To do that, use PuTTy or a similar SSH client to get into the vCenter CLI. Use the command service vmware-vpxd stop to stop the service.
- Apply your settings by clicking “Save Settings”
- Reboot the VCSA afterwards
3) Configure domain through the vCenter Server Appliance web console (https://vCenter address:5480).
- Go to vCenter > Authentication
- Put a checkmark next to “Active Directory Enabled”
- Input domain name and admin credentials that can join vCenter to the domain
- Reboot VCSA again
4) Configure AD as identity source in vSphere Web client
- Login to vSphere web client (https://vcenter address:9443) with your firstname.lastname@example.org account. If you cannot login with that account, a step was performed incorrectly in steps 1-3. Go back and fix it.
- Go to Administration > Single Sign-On > Configuration > Identity Sources
- Select Active Directory as LDAP Server
- Configure settings as follows (replace with your own AD information)
5) Add AD group to permissions groups in vSphere Client
- Login via vSphere legacy (C# client) client
- Click on vCenter highest level and go to “Permissions” tab
- Right-click and choose “Add Permission”
- Under “Assigned Role” select Administrator. Than under “Users and Groups” section click “Add”
- Choose your domain in the Domain drop-down menu
- Since we are adding a group, choose “Show Groups First” in the next drop-down menu
- Choose your appropriate group to add to the vCenter Administrators. In our case, it’s Domain Admins group.
- Check names and than click ok. This is all the configuration that is needed. Reboot vCenter at this point.
- Once vSphere as restarted, exit the vSphere client and check domain login via web client and legacy client.