Restric access to System Directory in vRA

9lz · ‎03-14-2018

Hi,

We want to restrict users from trying to log in to the System Directory in vRA. How can we accomplish this? We feel it's a security concern that any user can try to log into vRA via the System Directory. I have tried to restrict access using Network Ranges, but any network are still able to log in.

Thanks,

Nils

daphnissov · ‎03-14-2018

Are you talking about the internal domain of vsphere.local?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

9lz · ‎03-15-2018

Yes, I do.

I have tried restricting access to the "System Identity Provider" by selecting "Select which networks this IdP can be accessed from. Choose from the available network ranges from the list below", then selected an isolated administrative network. Users from other networks can still choose to change to a different domain, select vsphere.local, then they get an error message saying "idp.not.found IDP not present". However, then they can then select "Log in as Local Admin" and log in as administrator.

daphnissov · ‎03-15-2018

People generally don't use that directory for anything other than tenant management. Are you not using an external Active Directory source? Why would you only be using the system directory?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

9lz · ‎03-16-2018

We do use AD with RSA SecurID and that works fine, but we want to avoid anyone hacking in to the default tenant by changing to the vsphere.local domain. How can we stop a hacker from brute forcing into vsphere.local?

daphnissov · ‎03-16-2018

As long as you only maintain the administrator account and set a strong password, it's a non-issue. I don't know of a way to disable the access of a given tenant to a specific identity source based on other factors.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

All

Restric access to System Directory in vRA