SCharchouf
Hot Shot
Hot Shot

Disable Active Directory authentification on ESXi & vCenter

Maybe this is a strange question but I would like to know if there's a way to disable Active Directory authentification on ESXi & vCenter

9 Replies
LucD
Leadership
Leadership

For the ESXi nodes, the Set-VMHostAuthentication cmdlet also has a LeaveDomain switch.

For the VCSA you will have to use the domainjoin-cli command via an SSH session.

/opt/likewise/bin/domainjoin-cli leave [domain] [user name] [password]


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
SCharchouf
Hot Shot
Hot Shot

Thanks should be fine unfortunately in my case I have a lot a ESXi nodes so I guess a powerCLI script can help on this, I'm right?

0 Kudos
LucD
Leadership
Leadership

Yes, its the same commands, just run them in a loop over all target ESXi nodes.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
SCharchouf
Hot Shot
Hot Shot

In fact, vCenter and ESXi are not joined to AD and when we run audit this parameter appear as non compliant :

Status of the 'Active Directory for local user authentication' requirement on the ESXi host

and to remediate I should use the below command

Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication Domain [domain name] -User [username] -Password [password] -JoinDomain

As we aren't using the AD (we use another tools that allow us to connect to ESXi & vCenter called CyberArk) we need help to disabled this is that possible?

0 Kudos
LucD
Leadership
Leadership

I'm afraid you lost me.

So your VCSA nor ESXi are joined to an AD domain, but AD authentication is Identity Source type under SSO?

What do you see in the web client under Administration-Configuration-Identity Sources?

Is AD in that list?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

SCharchouf
Hot Shot
Hot Shot

each time I have a discussion with you, you help me a lot Smiley Happy

sorry to mislead you

I checked the identity source and the Name is set to domain Smiley Sad

can I remove it?

is there any impact?

0 Kudos
LucD
Leadership
Leadership

There is potential impact when you have permissions assigned to AD users/groups as Principal.
Another impact might be if you have used AD users/groups in other non-AD groups.

You can collect all Permissions and check if there is any AD principal involved.

The bad news is that there are currently no cmdlets, nor is there an API, to interact with SSO.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

SCharchouf
Hot Shot
Hot Shot

So if I have understood correctly, first step is that I need to collect all Permissions from all vCenter, then I can decide to remove the source entity or not, right?

by the way is there a script that can collect all permissions?

0 Kudos
LucD
Leadership
Leadership

Just do a Get-VIPermission


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos