Re: AD integration

khaliqamar · ‎05-23-2015

hello,

I am integrating AD with VCSA 5.5 but having a big trouble.

i follow this article and manage to work for administrator (AD)account but cant get access for other AD accounts, getting a wrong password error message, even the password is correct..

http://www.vladan.fr/vcsa-5-5-installation-configuration-part-2/

can anyone tell me what configurations should have AD account inside the active directory controller?

should have any special settings ?

No_Way · ‎05-23-2015

Hi

If if to set the identify sources(a AD Domain), the account should only need read permissions. But the problem could be in the "Base DN for Users" that was set in identify sources option.

NW

khaliqamar · ‎05-23-2015

could you please tell me in details, what permissions i should put in AD for the account and how to check "base DN for user".

in virtualcenter should i put all accounts under administrator and then assign roles according.

No_Way · ‎05-23-2015

Hi

First can you tell me if you are trying to add a Domain into the vCenter. Is this the task?? Integrate the vCenter with your AD??

If yes, if your domain was not added with the installation of the vCenter(like locally or trying to add a different domain), you need to go to the SSO option(in vSphere Web Client) and in the Configuration and tab Identify Sources and you add your AD as "Active Directory as a LDAP Server"

Then you need to add your LDAP server(example: ldap://DCserver.domain.com:3268) - Note: user port 3268

Then we need to add the Base DN for users and Groups. Since we want to use users from all Groups and Areas, use the Root Base DN(example:DC=domain,DC=com). We use this Base DN for users and groups option. Then you just need to add an user and password from your Domain(the same domain that you are trying to add) and test the LDAP communication.

Hope this helps

NW

khaliqamar · ‎05-23-2015

my domain and accounts is already visible in vcenter but still it is giving me password error. even my password is correct.

i have done all the settings which you have mentioned here. so thats why i was asking is there any information/guide to create AD accounts?

anything to debug?

No_Way · ‎05-23-2015

Hi

Did you choose your Domain as the default domain in the same area that I have discuss before??

Also do you use DOMAIN\USERNAME or USERNAME@DOMAIN in the user login??

NW

khaliqamar · ‎05-23-2015

I am using <loginname>@dmain .

when i click on my domain " set as default domain " get greyed out so i think it is already selected.

i have selected Active directory (integrated windows authentication) as an identity source type ...

any suggestion

No_Way · ‎05-23-2015

Hi

Have you try a different account?? Could that account been lock already because of several attempts??

Also try with both ways(don't use for now "Use Windows session authentication") using DOMAIN\USERNAME or USERNAME@DOMAIN.

The only time that I see this behavior was not using the proper user name vs domain, or the AD Source was not set as default.

Using integrated windows authentication is to set by default on the vCenter installation. Like I said before, you should choose LDAP server and the proper port and Base DN.

NW

npadmani · ‎05-23-2015

hi VirtualRay,

as you said you are facing big trouble integrating AD with VCSA 5.5. Similar trouble was faced by myself long back and I did following.

I would say being like this

1)

Join your VCSA to AD Domain by doing following activity

https://vcsa_applicance_ip:5480

Username: root and <your pwd>

Go to Authentication Services, Join appliance with domain

Reboot the appliance

2) Also create and use service principal account as explained in following article

VMware KB: Creating and using a Service Principal Account in vCenter Single Sign-On 5.5

3)

Open following URL

https://vcsa_appliance:9443 (This will open web client, I am sure you have already explored this)

login using username: administrator@vsphere.local and <your pwd) default password for this is 'vmware'

go to 'Administration' in the left vertical panel

go to 'SSO - Configuration' area

go to 'Identity source' tab

If you have not added any further identity sources yet, it will list two, one of them is localos and another is vSphere.local

since you are trying to add AD as an identity source, [In your case I believe you have already added it but it seems IDM is still not reaching it properly, so please remove AD as identity source from that list and move forward]

Just click on Green Plus symbol on that screen

That will give you a popup dialog with 4 options, among them go to very first option which is add AD as integrated identity source and provide SPN details which you have made ready in 2)

And this will be a successful adding on an Identity source.

Note: by adding an identity source in SSO, doesn't mean any account of it will gain any kind of permission on your vCenter inventory. Assigning permission needs to be done separately.

== I also agree with previous post, if you want to choose AD as an LDAP server, that will also work but in that case you got to add bit more details like Base DN for users/Groups and LDAP Server url with default port 389 etc...

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

khaliqamar · ‎05-24-2015

when i try to add SSO account into add identity source, it gives error " the specified principle account is invalid. any suggestion.

khaliqamar · ‎05-27-2015

Thanks npadmani,

I tried with the latest version of VCSA and it works.

I also make sure that time is correct and the it works well.

All

AD integration