VMware Cloud Community
kopper27
Hot Shot
Hot Shot
‎09-25-2012 11:20 AM
Jump to solution

Single Sign On and AD users

hi guys

all the time when I install vCenter I created a local group in my Windows vCenter Server "Virtual Adms" and I'd add all the users that needed admin access to vCenter and in vCenter I added that group to Administrators in vCenter Permissions.... also I created a local account and add that account to "Virtual Adms"

Now I am trying to do the same thing for vCenter 5.1

Right now I am only able to login to vCenter using the local account the AD accounts won't work....If I understand correctly I need to configure and SSO thing in order to be able to login my users is right?

In fact when I try to add new user in permission in my Web Cient I don't see the option for my domain? this is a screen taken form another user in this forum but is the same thing

http://screencast.com/t/lf22UBY8

is that or I am missing something else here?

thanks

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
mclark
Expert
Expert
‎09-26-2012 12:27 PM
Jump to solution

Just earlier today I set up a vCenter 5.1 server to test it out. I installed the appliance since I'm just testing for now, but I would assume that the basics are the same on Windows. Here's what I had to do to get AD functioning:

1) Set up SSO (done automatically during install)

2) Set up AD authentication using the command line instead of the Web GUI (:5480). See the following: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200262...

3) Log in as root to the vCenter web client (https://<VCAddress>/vsphere-client/)

4) In the Administration section of VC, Sign-On and Discovery option, select Configuration and add your AD domain as an identity source. Once it is successfully added as an identity source, move it up to the first on the list as a default domain (bottom of the same screen).

5) In Administration, Access option, select SSO Users and Groups, add your AD group to the "__Administrators__" group. It will then show up at the bottom of the screen as a principal name when you select the group.

6) On the VC server, get to the Manage tab and select Permissions, then add your AD group with the Administrator role

Once I had done all that, I was able to log out and log back in with my domain account. I did not have to do <domain>\<user> in the user name box, just <user>.

View solution in original post

Reply
0 Kudos
9 Replies
kopper27
Hot Shot
Hot Shot
‎09-26-2012 12:04 PM
Jump to solution

no ones knows? I mean this is kinda of important to set this new vmware feature sso?

anybody help?

Reply
0 Kudos
mclark
Expert
Expert
‎09-26-2012 12:27 PM
Jump to solution

Just earlier today I set up a vCenter 5.1 server to test it out. I installed the appliance since I'm just testing for now, but I would assume that the basics are the same on Windows. Here's what I had to do to get AD functioning:

1) Set up SSO (done automatically during install)

2) Set up AD authentication using the command line instead of the Web GUI (:5480). See the following: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200262...

3) Log in as root to the vCenter web client (https://<VCAddress>/vsphere-client/)

4) In the Administration section of VC, Sign-On and Discovery option, select Configuration and add your AD domain as an identity source. Once it is successfully added as an identity source, move it up to the first on the list as a default domain (bottom of the same screen).

5) In Administration, Access option, select SSO Users and Groups, add your AD group to the "__Administrators__" group. It will then show up at the bottom of the screen as a principal name when you select the group.

6) On the VC server, get to the Manage tab and select Permissions, then add your AD group with the Administrator role

Once I had done all that, I was able to log out and log back in with my domain account. I did not have to do <domain>\<user> in the user name box, just <user>.

Reply
0 Kudos
kopper27
Hot Shot
Hot Shot
‎09-26-2012 12:30 PM
Jump to solution

thanks a lot

I am working on a project and currently the Windows Administrator is having problems how to complete o what information is needed to put in  the SSO information

I mean this one

http://www.gabesvirtualworld.com/wp-content/uploads/2012/09/sso-02.jpg

so you have your handy so I can have to example for showing him

thanks

Reply
0 Kudos
mclark
Expert
Expert
‎09-26-2012 12:38 PM
Jump to solution

I personally did NOT use an administrator account. I used a normal AD account that is used for LDAP searches in AD. That worked fine.

Here is what is in my identity source config screen under "Identity source settings":

Name: ad.xxx.zzz

Primary server URL: ldap://ad.xxx.zzz

Base DN for users: OU=Users,DC=ad,DC=xxx,DC=zzz  (I got this from using ADSI edit to find the LDAP format)

Domain name: ad.xxx.zzz

Base DN for groups: OU=Users,DC=ad,DC=xxx,DC=zzz  (same as users DN for me)

Authentication type: Password

Username: OUR-AD\<username>   (This is the WINS-style name for our AD, not the DNS-style name)

Reply
0 Kudos
kopper27
Hot Shot
Hot Shot
‎09-27-2012 12:45 PM
Jump to solution

thanks a lot

I will try ASAP and let you know

Reply
0 Kudos
dpow243
Contributor
Contributor
‎10-19-2012 01:35 PM
Jump to solution

i can log in to vsphere web client using:  domain.net\username

but not using:  AD-name\username (WINS name as you mention)

when selecting Use Windows session authentication, it automatically populates the username field with AD-name\username and is therefore unable to log in.  is there an option to change that?  basically use the domain.net instead of AD-name.

Reply
0 Kudos
kopper27
Hot Shot
Hot Shot
‎10-24-2012 11:00 AM
Jump to solution

mclark just last question

I was checking this

http://www.gabesvirtualworld.com/adding-ad-authentication-to-vmware-sso-5-1/

and it says

Log in to the vSphere Web Client: https://<ip addres>:9443/vsphere-client using the basic SSO account. For a Windows install of SSO this is the user “admin@System-Domain” and for the vCenter Server Virtual Appliance it is “root@System-Domain”. The password is what you have entered during installation of SSO.

did you just use normal root or you use root@System-Domain as it says there?

Reply
0 Kudos
kopper27
Hot Shot
Hot Shot
‎10-30-2012 09:43 AM
Jump to solution

got it up and running

to configure this you have to use root - password by default @localos is used and it has to be configured with that

Reply
0 Kudos
arrietty
Enthusiast
Enthusiast
‎11-14-2012 05:37 PM
Jump to solution

I have successfully upgraded to vSphere 5.1 but during SSO installation, I added the domain name as domain.name.com - It has found the domain and AD ok and I can add users ok.  However when users log into virtual centre (web or client)  now, we have to use the FQDN of Domain rather than the domain\username as previously and also it is no use ticking to use windows credentials when logging in as previously because when I log into my computer I use domain\username  not domain.name.com\username.

What I want to ask is, can I log into the virtual centre as admin@system-domain and change the Domain name to the NetBios name without adverse effects?  Or is it better to leave it as it is.  The problem is that one of my backup servoces uses a domain account to backup the vmware vmdks and it has stopped working.  I can only presume this is because this service account (I have added it to SSO) is using the domain\serviceAccountname  style of authentication.

TIA

Reply
0 Kudos