Re: vCenter/vSphere and AD

timsheets13 · ‎05-12-2022

We recently setup our vCenter appliance VM and it's working great. I have successfully joined the VM to our AD. We can now authenticate vCenter with our AD credentials. But, when I try to join vsphere html client to the domain so we can also use AD auth there, it fails. The error
Idm client exception: Error trying to join AD, error code [11], user [spinet\administrator], domain [spinet.local], orgUnit []

Any assistance appreciated as we don't want to use local or shared accounts for vSphere.

Thanks, Tim

scott28tt · ‎05-12-2022

Expect a moderator to move your thread to the vSphere area now that I have reported it.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

timsheets13 · ‎05-13-2022

Thank you. I'm new to this board so not quite familiar yet

fabio1975 · ‎05-13-2022

Ciao

It is not clear to me what you mean when you say you have joined the domain of the VM. What version of vCenter are you using? However, since vSphere 7.0 version VMware has deprecated Integrated Windows Authentication
https://kb.vmware.com/s/article/78506

it is recommended to use Active Directory over LDAP

https://kb.vmware.com/s/article/2041378

continue for your mistake you can check this link

https://planetvm.net/blog/?p=3352

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

stadi13 · ‎05-17-2022

@timsheets13

It's no longer recommended to you an active directory with vCenter. You should use LDAPS or even better ADFS for authentication.

Did you follow the guide? https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-08EA...

From security perspective we are heading forwards in avoiding active directory authentication in any ways if not strictly required. You can see it in seperation of concerns. If an attacker gets compromised domain credentials, he will not be able to authenticate to your vCenter.

Regards

Daniel

ravjyo · ‎05-17-2022

Ensure that your Domain is always FQDN, and OU in LDAP format.. not getting this right sometime also cause issues.

cool_breeze · ‎05-17-2022

Thanks for the great info!

mbufkin · ‎05-17-2022

One more thing is to always use an NTP server to keep time synced between all server. Time is important.

8islas · ‎05-18-2022

I agree with the indications of other colleagues and would add

As they have already stated Integrated Windows Authentication (IWA) is deprecated, don't use it

https://blogs.vmware.com/vsphere/2020/05/vsphere-7-integrated-windows-authentication-iwa-ldap.html

If you use Active Directory as the identity source for vCenter Server, you should plan to enable LDAPS. For more information about this security update from Microsoft, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020 /01/ microsoft-ldap-vsphere-channel-binding-signing-adv190023.html.

From a security perspective, we use DUO to have 2FA

I hope that helps

MattStreet · ‎05-18-2022

If I'm reading your issue properly, you have managed to successfully join vCenter to AD, but unable to join the ESXi hosts to AD ?

Have you tried to putty connect to your ESXi hosts (may need to manually start the SSH service), and perform nslookup to your domain controller? nslookup to the domain FQDN?

If your ESXi hosts are on a separate VLAN / IP range to your domain controllers have you confirmed the relevant port access is open? Check out https://ports.esp.vmware.com/home/vSphere-7 for list of ports