Hello Community,

I'm trying to understand the different security hardening for vCenter and ESXi hosts.  I know the differences in authenticating with the following groups, but how do they impact vSphere authentications?

1.  TACACS/RADIUS authentication

2.  Active Directory (AD) authentication

3.  TACACS using AD authentication.

  I'll have to review the latest best practices, but I remember something for VMware that if you use AD it should be used with TACACS.  I don't know if this is the case any more or not so I'm checking into it again.

  The reason I'm asking and don't know already know is due to an event that occurred.  Our IA department thought it would be nice to add AD authentication to our ESXi 6.7 U3 hosts without telling me or looking into best practices.

  All of the hosts suddenly became disconnected from the VCSA when likewise messages overwhelmed the systems.  This meant that all VM's were disconnected also.  We could log into the VMs and they seemed to be working fine, but we had no management of the hosts from vCenter.

  Eventually we'll have TACACS, but until then what is the best practices of adding AD to the hosts that are in lockdown mode with vCenter?  I know, the best practices are for people to stay in their own swim lane...… lol

  The other odd point to this is they wanted to add AD to the hosts and not to vCenter.  Best practices say to lock down hosts in VCSA and manage from there.  These seem to be conflicting with each other.