VMware Cloud Community
just70
Contributor
Contributor
‎03-23-2022 06:12 AM

vCenter 7 MFA using ADFS....PowerCLI still works without MFA

I setup a lab vCenter, hooked up its identity source to ADFS and enabled MFA. It works great going through the UI (https://vcenter.mycompany.com/ui) but people can still use PowerCLI to get into the vCenter without MFA. If someone malicious gets the username & password of a vCenter administrator's account they can simply do their dirty work via powershell. In fact, they probably would anyway, it would be way more efficient than using the UI. Unless there's a way to enable MFA on PowerCLI or disable PowerCLI then MFA via ADFS seems to give a false sense of security.

I attempted to segment UI access from PowerCLI access using a load balancer. Both the UI and Powershell use port 443 for communication to the vCenter. I stuck the load balancer between the client and vCenter (with SSL intercept) and blocked access to /api and /sdk, but that got ugly quick. The UI redirects to the hostname of the vCenter.

Does anyone know of a way to firewall-off PowerCLI access to the vCenter?
Looking around online it seems it may be possible to use Duo as an Active Directory proxy, which would make PowerCLI auth MFA. I'll have to test this out. Anyone have other options?

Reply
0 Kudos
5 Replies
Tibmeister
Expert
Expert
‎03-23-2022 10:08 AM

We have Duo and have pointed the vCenter to use our ADFS as the iDP.  In ADFS we have a rule that requires Duo MFA, and this applies even to powershell access.  You have to create a Native Application for powercli-native within the Application Group for your vCenter on ADFS.  Basically, this will have the client-Id you use in the Web API and vCenter Server application, but will have a redirect URI of http://localhost:8844/auth.

Reply
just70
Contributor
Contributor
‎03-30-2022 10:34 AM

I got off the phone with support today and got to the bottom of it. I was moving from AD authenticated to ADFS. In this case, VMware's documentation suggests that we "...do not delete that existing identity source from vCenter Server." This way the permissions applied using AD groups don't go away. Makes sense.

However, come to find out this Active Directory connection previously established was how Powershell connections were authenticating. With support on the line, we switched from ADFS as an identity provider back to embedded source, deleted my old AD connection, then re-configured the ADFS connection. Now Powershell and API access get authenticated through ADFS & MFA, which is what I would expect. I just have to re-setup all of the permissions attached to AD groups.

Reply
Nodnarb
Enthusiast
Enthusiast
‎10-05-2022 01:26 PM

Hi @just70 ,

I'm working with support on a similar issue. Could you please repost your case number here or DM me?

I tried reproducing your steps below but after deleting the old AD config and setting up ADFS I can't log in with ADFS at all.

Thank you in advance!

Reply
0 Kudos
nef_user
Enthusiast
Enthusiast
‎11-28-2023 05:48 AM

Hi @Nodnarb ,

I'm having the same issue. After deleting the old AD config and setting up ADFS I can't log in with ADFS. Did you find a way to solve this?

thank you.

Reply
0 Kudos
Nodnarb
Enthusiast
Enthusiast
‎11-29-2023 02:28 PM

Unfortunately no 😕

Reply
0 Kudos