VMware Cloud Community
vmk2014
Expert
Expert
‎03-09-2020 09:42 PM

Why it is the benefit of AD Authentication allowing ESXi host integration with AD

Hi All,

We have around 800 + ESXi host globally including remote sites and most of the times struggling with correct password, hence inorder to resolve this challenge  we decided to integrate the ESXi host with AD but there is roadblock from security & Engineering team saying our standard practice to isolate our VMware hosts from AD. Could you provide brief explanation on why it is  needed to allow AD based authentication?  Any pointers will be much appreciated for highlighting the benefits.

Thanks

V

Tags (1)
0 Kudos
3 Replies
NathanosBlightc
Commander
Commander
‎03-09-2020 09:58 PM

Hi

I think your security team's oponion is correct. Why do you want to integrate these too many ESXi hosts with Active Directory while you can have this AD integration for the vCenter server?! There are many security consideration and hardening for ESXi whenever you want to join them to the AD.

Also joining the ESXi to the AD may lead to unauthorized access in some cases. When you assign a specific permission to an AD group and after awhile maybe an AD admin add a unauthorized person to that group, while he/she should not has access to the virtual infrastructure! In large scales management teams of Domain & vSphere environments are usually separate and  it's usual see such as this security risks

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos
vmk2014
Expert
Expert
‎03-09-2020 10:02 PM

I agree with you, but we have ESX admin group and only 4 folks have been added, remaining team members are restricted to this group. Also, since its global support i.e. ESXi host spread across globally, so some of the region security team allowed this and others asking the what is the benefit of AD authentication ?

Thanks

V

0 Kudos
NathanosBlightc
Commander
Commander
‎03-09-2020 10:43 PM

I believe all of the mentioned benefits for AD authentication of ESXi hosts, don't have superiority to managing the virtual infrastructure from the vSphere SSO. Many people said if you shared ESXi root password between your admins (like this link you can read it) and leaving one of them can lead to reseting all current passwords! but I believe you can still protect it, because you don't need to give them full access via the root credential for usual management tasks, and if you want to give IT staff required permissions for accessing the VI, it's highly recommended add the Active Directory domain as a new Identity Source from the vCenter Server, and then assign required privileges at top-level or in any other objects (like vCenter, Cluster and so on) to their AD accounts.

All of the other benefits like synching time with DC or using name resolution from AD-integrated DNS zone are also possible without joining the ESXi hosts to the AD, because you can still use each of local DCs (in each region) as the NTP server for the ESXi hosts of that region and also create associated A records in the DNS zone manually for managing them via the vCenter with FQDN.

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos