topic Re: vCenter/vSphere and AD in VMware vSphere™ Discussions

vCenter/vSphere and AD

timsheets13 — Thu, 12 May 2022 21:29:40 GMT

We recently setup our vCenter appliance VM and it's working great. I have successfully joined the VM to our AD. We can now authenticate vCenter with our AD credentials. But, when I try to join vsphere html client to the domain so we can also use AD auth there, it fails. The error
Idm client exception: Error trying to join AD, error code [11], user [spinet\administrator], domain [spinet.local], orgUnit []

Any assistance appreciated as we don't want to use local or shared accounts for vSphere.

Thanks, Tim

Re: vCenter/vSphere and AD

scott28tt — Thu, 12 May 2022 22:09:36 GMT

Expect a moderator to move your thread to the vSphere area now that I have reported it.

Re: vCenter/vSphere and AD

timsheets13 — Fri, 13 May 2022 14:20:34 GMT

Thank you. I'm new to this board so not quite familiar yet

Re: vCenter/vSphere and AD

fabio1975 — Fri, 13 May 2022 15:59:30 GMT

Ciao

It is not clear to me what you mean when you say you have joined the domain of the VM. What version of vCenter are you using? However, since vSphere 7.0 version VMware has deprecated Integrated Windows Authentication
https://kb.vmware.com/s/article/78506

it is recommended to use Active Directory over LDAP

https://kb.vmware.com/s/article/2041378

continue for your mistake you can check this link

https://planetvm.net/blog/?p=3352

Re: vCenter/vSphere and AD

stadi13 — Tue, 17 May 2022 11:29:51 GMT

@timsheets13

It's no longer recommended to you an active directory with vCenter. You should use LDAPS or even better ADFS for authentication.

Did you follow the guide? https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-08EA2F92-78A7-4EFF-880E-2B63ACC962F3.html

From security perspective we are heading forwards in avoiding active directory authentication in any ways if not strictly required. You can see it in seperation of concerns. If an attacker gets compromised domain credentials, he will not be able to authenticate to your vCenter.

Regards

Daniel

Re: vCenter/vSphere and AD

ravjyo — Tue, 17 May 2022 12:14:26 GMT

Ensure that your Domain is always FQDN, and OU in LDAP format.. not getting this right sometime also cause issues.

Re: vCenter/vSphere and AD

cool_breeze — Tue, 17 May 2022 17:58:05 GMT

Thanks for the great info!

Re: vCenter/vSphere and AD

mbufkin — Tue, 17 May 2022 18:20:39 GMT

One more thing is to always use an NTP server to keep time synced between all server. Time is important.

Re: vCenter/vSphere and AD

8islas — Wed, 18 May 2022 08:00:10 GMT

I agree with the indications of other colleagues and would add

As they have already stated Integrated Windows Authentication (IWA) is deprecated, don't use it

https://blogs.vmware.com/vsphere/2020/05/vsphere-7-integrated-windows-authentication-iwa-ldap.html

If you use Active Directory as the identity source for vCenter Server, you should plan to enable LDAPS. For more information about this security update from Microsoft, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020 /01/ microsoft-ldap-vsphere-channel-binding-signing-adv190023.html.

From a security perspective, we use DUO to have 2FA

I hope that helps

Re: vCenter/vSphere and AD

MattStreet — Wed, 18 May 2022 09:44:25 GMT

If I'm reading your issue properly, you have managed to successfully join vCenter to AD, but unable to join the ESXi hosts to AD ?

Have you tried to putty connect to your ESXi hosts (may need to manually start the SSH service), and perform nslookup to your domain controller? nslookup to the domain FQDN?

If your ESXi hosts are on a separate VLAN / IP range to your domain controllers have you confirmed the relevant port access is open? Check out https://ports.esp.vmware.com/home/vSphere-7 for list of ports