VMware Cloud Community
Brian995
Contributor
Contributor
‎03-05-2019 06:01 AM

How to disable or prevent vCenter (not ESXi) root login?

We need to make sure that root is not used for vCenter 6.0 login, is there any way to disable it or prevent users who know the root password from using it (instead of their domain account)?

Tags (2)
Reply
0 Kudos
4 Replies
daphnissov
Immortal
Immortal
‎03-05-2019 06:07 AM

In vCenter, the root user by default has no permissions to vCenter the application. It obviously does to the OS/appliance but not to login to the web client. There's nothing more you need to do if you're ok with that arrangement.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
0 Kudos
Brian995
Contributor
Contributor
‎03-05-2019 06:15 AM

We had a user make changes to a VM using root to login to vCenter, that's what needs to be prevented if possible.

Reply
0 Kudos
daphnissov
Immortal
Immortal
‎03-05-2019 06:55 AM

Then someone has explicitly enabled root to have vCenter permissions. You can check in the SSO configuration under the localos domain. If that's enabled with users configured for it, disable it.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
0 Kudos
IRIX201110141
Champion
Champion
‎03-05-2019 08:56 AM

It has nothing to do with SSO configuration.

Someone have modify the "permissions" (check the tab when at the upper vCenter level) and add manually the user "root" from the identity source "localOS" and give it Administrative rights. But as already told and this is the true its not a default.

Normaly a vCenter use 3 identity ressources:

- vsphere.local

- localOS

- your_windowsAD

The first 2 are defaults but IIRC only the administrator@vsphere.local is the one and only "user" which is added. Yeah there are some other system accounts added as well.

So you have to remove the account from the permission or lower the level to "readonly".

Regards

Joerg

Reply
0 Kudos