Maybe this is a strange question but I would like to know if there's a way to disable Active Directory authentification on ESXi & vCenter
For the ESXi nodes, the Set-VMHostAuthentication cmdlet also has a LeaveDomain switch.
For the VCSA you will have to use the domainjoin-cli command via an SSH session.
/opt/likewise/bin/domainjoin-cli leave [domain] [user name] [password]
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks should be fine unfortunately in my case I have a lot a ESXi nodes so I guess a powerCLI script can help on this, I'm right?
Yes, its the same commands, just run them in a loop over all target ESXi nodes.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
In fact, vCenter and ESXi are not joined to AD and when we run audit this parameter appear as non compliant :
Status of the 'Active Directory for local user authentication' requirement on the ESXi host
and to remediate I should use the below command
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication Domain [domain name] -User [username] -Password [password] -JoinDomain
As we aren't using the AD (we use another tools that allow us to connect to ESXi & vCenter called CyberArk) we need help to disabled this is that possible?
I'm afraid you lost me.
So your VCSA nor ESXi are joined to an AD domain, but AD authentication is Identity Source type under SSO?
What do you see in the web client under Administration-Configuration-Identity Sources?
Is AD in that list?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
each time I have a discussion with you, you help me a lot
sorry to mislead you
I checked the identity source and the Name is set to domain
can I remove it?
is there any impact?
There is potential impact when you have permissions assigned to AD users/groups as Principal.
Another impact might be if you have used AD users/groups in other non-AD groups.
You can collect all Permissions and check if there is any AD principal involved.
The bad news is that there are currently no cmdlets, nor is there an API, to interact with SSO.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
So if I have understood correctly, first step is that I need to collect all Permissions from all vCenter, then I can decide to remove the source entity or not, right?
by the way is there a script that can collect all permissions?
Just do a Get-VIPermission
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference