VMware Cloud Community
jasonboche
Immortal
Immortal

Tech: How to enable passthrough authentication in VMware VirtualCenter 2.5

Saw a cool article cross my RSS reader today on How to enable passthrough authentication in VMware VirtualCenter 2.5.

I just tested it; it works.

Source: http://www.virtualization.info/2008/03/tech-how-to-enable-passhrough.html Thank you Stuart Radnidge and Alessandro Perilli!

To use it, simply add -passthroughAuth -s vchostname to the end of the shortcut used to launch the VI 2.5 client.

By default it uses the Negotiate SSPI provider, however since they have fully implemented the interface you can change that behaviour to use Kerberos by adding the following within the node in the vpxd.cfg file on the VC server:

[i]Jason Boche[/i]

[VMware Communities User Moderator|http://communities.vmware.com/docs/DOC-2444][/i]

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
Reply
0 Kudos
12 Replies
Jwoods
Expert
Expert

NICE find! Worked like a charm. Thanks!

Reply
0 Kudos
thickclouds
Enthusiast
Enthusiast

Great tip! VMware should add this as an option for the default install!

Charlie Gautreaux vExpert http://www.thickclouds.com
Reply
0 Kudos
Patrick_Miller
Enthusiast
Enthusiast

Jason,

Awesome find!! Thanks!

Reply
0 Kudos
mcowger
Immortal
Immortal

I'm a little unclear on this....what does this offer me? Can I passthru my authentication to a real Kerberos server rather than the M$ crap?

--Matt

--Matt VCDX #52 blog.cowger.us
Reply
0 Kudos
jasonboche
Immortal
Immortal

I'm a little unclear on this....what does this offer me? Can I passthru my authentication to a real Kerberos server rather than the M$ crap?

It allows administrators single sign on for VirtualCenter Infrastructure Client from a Windows OS. Since the VIC is installed only on Windows operating systems, this is quite literally a shortcut for any VirtualCenter administrator who uses Windows authentication with VirtualCenter.






[i]Jason Boche[/i]

[VMware Communities User Moderator|http://communities.vmware.com/docs/DOC-2444][/i]

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
Reply
0 Kudos
seangar
Contributor
Contributor

We have tried this on a kerberized (MIT) W2k3R2SP2 server with a fresh install of 2.5 and windows.

We can log on to the windows server via the kerberos realm successfully, but then fail to logon to VC. We have defined the users in VC.

TIA - S

Reply
0 Kudos
bobst_martin
Contributor
Contributor

wonderfull, it's exactly what a I was expecting for a long time

Reply
0 Kudos
esnmb
Enthusiast
Enthusiast

Is this only available in Update 1? I searched my VC server for the vpxd.cfg file and it was only located in the Update 1 extracts.

Reply
0 Kudos
jasonboche
Immortal
Immortal

No, I believe this is 2.5.0 specific. AFAIK, Update 1 isn't required. vpxd.cfg path location should not have changed between 2.5.0 and 2.5.0u1






[i]Jason Boche[/i]

[VMware Communities User Moderator|http://communities.vmware.com/docs/DOC-2444][/i]

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
Reply
0 Kudos
TCronin
Expert
Expert

It looks like your workstation needs to be in the domain for the passthrough to work. Tried a few things but couldn't get using a diffrent user/password to be passed from the command line.

Tom Cronin, VCP, VMware vExpert 2009 - 2021, Co-Leader Buffalo, NY VMUG
Reply
0 Kudos
esnmb
Enthusiast
Enthusiast

Like I said, I don't even see the cfg file. Strange right?

Reply
0 Kudos
kaghaiepour
Contributor
Contributor

I have tested this with the following results. In a windows domain with cross realm trust with an MIT kerberos realm, where hosts are configured to know about the MIT kerberos realm, while still joined to the active directory domain, I have had success with logging into the host that runs VirtualCenter Manager and using passthru authentication using "localhost" or FQDN of the host with the virtual center client application. I suspect it is because when I login and authenticate against the external MIT Kerberos KDC, I get the following credentials:

(assuming my AD realm is MY.ORG, and my MIT Kerberos realm is EXTERNAL.MY.ORG )

krbtgt/EXTERNAL.MY.ORG@EXTERNAL.MY.ORG

krbtgt/MY.ORG@EXTERNAL.MY.ORG

(some cifs and ldap related service principals)

and most importantly:

host/my-virtual-center-manager-host.my.org@MY.ORG

With the above credentials, the passthru works fine. Unfortunately this only works on the host that runs the virtual center manager windows service. If I install the virtual center client on a machine that is remote to the virtual center manager host, for example, my-citrix-server.my.org, then the host principal I have is:

host/my-citrix-server.my.org@MY.ORG

and when I attempt to use passthru auth to the remote vi manager host, it fails. Why can't virtual center allow for authentication against a remote Kerberos or LDAP server?

Reply
0 Kudos