VMware Cloud Community
dejan
Contributor
Contributor
‎10-30-2013 03:16 PM

Why every domain user can login to vcenter appliance via vsphere web client?

Hi

I created new vcenter appliance, set up AD auth, gave my domain account to admin group and moved hosts to new vcenter.

I can login with domain account, got VM etc.


But what it bothers me is one thing:

I do not understand why all domain users can login via vsphere web client to vcenter?

They do not see any cluster, no hosts, no VM, but nevertheless I do not want that anyone except certain users can login to vcenter.

I did not gave domain users group to any other group or something else.

When vcenter was hosted on MS Server, just certain users could login, which is right.

Did I misconfigured something?

Thank you for any explanation.


Regards, Dejan

0 Kudos
7 Replies
WilliamSmithUNR
Contributor
Contributor
‎02-14-2014 12:15 PM

You did not misconfigure anything.  I noticed the same thing and for the life of me could not figure out how to change this behavior.  So I put in a ticket with VMware support.

The answer I got back was "This is expected behavior."  So we have stopped using the vSphere Web Client all together.  The only reason I still have it installed as a service is so that I can manage SSO but only from the local server.

We are running 5.1 but I was told it is the same behavior in 5.5.  And being that VMware has moved a lot of functionality into the Web Client in 5.5 we will not be upgrading to 5.5 in the near future.

It is very disappointing that VMware has overlooked this issue.  We have several thousand user accounts in our domain.  And if we were to leave the Web Client running every last one of them could log in.  Unacceptable.

Better fix this in 6.

-Bill

0 Kudos
WilliamSmithUNR
Contributor
Contributor
‎02-14-2014 12:20 PM

*Addendum*

We modified the Base DN and the Group Base DN of the domain identity source to a specific OU.  That does not prevent any and all domain accounts from establishing a session with the vSphere Web Client.  All it does is prevent users not in said OU from being able to access any vCenter system registered with the Web Client, even if they have the rights to access it.

Again, I cannot believe that VMware would not have instituted some level of authorization checks at the Web Client level.

-Bill

0 Kudos
dejan
Contributor
Contributor
‎02-16-2014 10:56 AM

Hi

It is very good, that you replayed to my question.In that time I was sure, that I missed something.

I will also open case on Vmware for that because I am not and I will not agree that "This is expected behavior." 

I also can not get this as VMware has overlooked this issue.  As you said this is unacceptable.

Regards, Dejan

0 Kudos
sheath7288
Contributor
Contributor
‎08-20-2015 06:52 AM

dejan,

Did you get anywhere with your case? I just noticed the same in the 6.0 appliance, and tested on our 5.5 windows vcenter server with the same results. I too have opened a case.

0 Kudos
ggautam7741
Enthusiast
Enthusiast
‎08-26-2015 08:58 PM

Thanks for sharing. We have plans to migrate to 5.5 in near future and this point to be added to pre-checks.

0 Kudos
MauricioRangel
Contributor
Contributor
‎01-31-2016 06:37 PM

To anyone still having this issue on 5.X you could limit the exposed surface of vSphere Web Client to allow connections only from trusted sources as your mgmt vlan. This is a hack and therefore I guess it would not be supported but it is quite simple as it's just a couple of additional firewall inbound rules. I think 6.X have a new System Settings where you can configure this although i have not tested it.

Take a Snapshot of your vCenter if you have little experience with Linux command line interface.

Login to your VCSA via ssh:

Go to: /etc/sysconfig/network/scripts edit the file called firewall and add the linux firewall rules to limit which networks could connect to vsphere web client. it would be something like this (do not include the # symbol, it is just to denote that you need to be logged as root user, if you connected with any other configured user, su to root because AFAIK sudo isn't properly configured):

# cd /etc/sysconfig/network/scripts

# vim firewall

Add this lines after the sentence: touch "$FW_MARKER"

   # SPS

   block_tcp 21000

   touch "$FW_MARKER"

   /usr/sbin/iptables  -A INPUT -i eth0 -p tcp --dport 9443 -s 10.1.2.0/24 -j ACCEPT

   /usr/sbin/iptables  -A INPUT -i eth0 -p tcp --dport 9443 -j REJECT

   /usr/sbin/ip6tables -A INPUT -i eth0 -p tcp --dport 9443 -j DROP

fi

* Of course, substitute the source IP netblock or IP address with your own.

press

ESC : wq

To exit vim

and Test it out with this commands:

Flush existing rules:

# iptables -F

Delete the file evaluated by the script to know that firewall is configured:

# rm /dev/shm/vcva_fw_configured

Execute the firewall script

# ./firewall

or

# /etc/sysconfig/network/scripts/firewall


check that new rules are applied via

# iptables -nvL

Test from your trusted network and from out of it.

If everything is alright, delete your snapshot.

Best Regards.

0 Kudos
siddiqui_au
VMware Employee
VMware Employee
‎02-12-2016 01:29 AM

Hi Sheath7288 would be good to know the SR that was created for this issue. Could you pass that number over please?

Twitter: https://twitter.com/Sarge_Siddiqui
LinkedIn: https://au.linkedin.com/in/sargesiddiqui
0 Kudos