- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AD authentication for connections directly to hosts
Our VMware hosts and vcenter are 5.1u1. I have always had integrated AD authentication for vcenter and that works and is not the problem.
We are trying to set it up so that we can access the hosts directly with our domain accounts. It is rare for us to do this, but that is what we want from the security side of it so we do not have everyone using the root account, or setting up local accounts on each host. So we checked our DNS settings, NTP settings, etc on each host and went to add them to the domain. The first 4 hosts I added all joined the domain fine and worked without any issues. I was able to add an AD group as local admins and then I could ssh with my domain account and could also connect directly to the host with vSphere client using my domain account. When I connected directly to the hosts with my domain account I could also check the "use Windows Sessions Credentials" in the vsphere client checkbox to connect. All of them worked.
I then had some issues with some not being able to join the domain on some other hosts. At first, I thought DNS, or appending domain suffix, etc. but could not figure it out. Then I found that on the problem hosts(there were several), I needed to enable the AD services in the security profile(Network Login Server, I/O Redirection, and LocalSecurity Authentication Server.) I tested several times with several servers and confirmed each time that I did need to enable those services on those hosts. Then I went back and looked at some of the other hosts(that had worked fine) and they did not have those services running. That was weird, but I went ahead and changed all hosts to start those services. Everything works now, but I notice I can no longer pass credentials with the "use Windows Sessions credentials" anymore on some of the hosts. I now must pass credentials on some of the hosts in the upn format(bsmith@contoso.com) instead of CONTOSO\bsmith. It does not matter what client I am connecting with, but some hosts work with integrated Windows authentication and some must have upn.
Anyone have any ideas what could have caused that or any documentation about those 3 services that are now running on the hosts? Could find nothing that mentioned needing those.
Thanks,
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dan,
The three services are likely to be in a stopped state, if in case you have joined the host to domain but have not restarted the host.
i.e. these services are set to start or stop with the host and will take effect on reboot to start automatically(now that host is joined to domain it will kick off the services on boot).
For your second query about why you need to pass credentials every time, it could be
VMware KB: Logging on to an ESX/ESXi host with Windows session credentials fails
Or
http://kb.vmware.com/kb/2062992