Hi All, We have several domains that we manage and would like to have the VCOPs UI allow access to different users. Since we have same account name in the different domains, we do not have the same Domain names. Quoting - IamTHEvilONE " Re: vCOps access and Importing Users/groups from LDAP https://communities.vmware.com/thread/423502?start=15&tstart=0 /sphere uses vCenter pass through authentication. What does this mean? 1. the user must have an account in EACH vCenter that has been added to vCOps in the the /admin 2. In each of these vCenters, the user MUST have a role that includes EITHER the vCOps Admin or vCOps User permission. Admins have this by default, users need this enabled (under the global permissions set, last two options). When they login to the /vsphere UI of vCOps, they type in their username as if it were the vSphere client. vCOps checks to see if the user can login to each vcenter and has the required permission. If this is true, they can login. Otherwise it's a failure. " The Admin account works because it is not bound to a domain, but the Domain accounts do not log on. is this really case? Is there a way that I can get it to allow access on this version of VCOPs? Kind Regards, Otto Jackson
Do you have only the vsphereUI or both vsphere and customUI?
cause both works differently - vsphereUI works with VC users, and for customUI one has to manually import the users from AD/LDAP
what you've quoted holds true, as far as I know
Hi there, We only have the vsphere UI, the other one is for Advanced and Enterprise editions I believe. Since we do not have the custom UI we can't add different LDAP authentications for diff domains.
If you're using the vSphere UI, sure you can use different domains. vCenter acts as the authentication relay for vSphere UI, in that when you log in to vSphere UI it'll authenticate via the vCenter. vCenter can handle multiple domains and so can the vSphere UI. You just won't be able to login via sAMaccountname, and will need to use your domain\upn when logging in to the vSphere UI web page. Otherwise, it'll be integrated with the vC Ops solution in vCenter's Client and you won't even need to pass it credentials.
Hi, Excuse my ignorance. Would I need to add the other domains into the main SSO? We use an SSO for each Domain. And if I add the domains would I only be able to view the accessible vCenters? Since a previous remark proved that if it fails on one vCenter you will not be able to log in regardless. Would a local vsphere.local user account maybe work if it is available on all of the SSO / vCenters?
vc_ops doesn't care about SSO... it connects directly to vCenter via the legacy APIs (e.g VC 4.0 - 5.5 are treated the same way as to login/authentication is concerned)
I don't know the exact answer to your Qn, hopefully Mark or somebody have tried it & can share.
or, you can try and let us know
Hi, Arranging fw rules as we speak. Will let you know what the test result is.
The vSphere UI login worked before I added the 2nd Domains vCenter servers. I then created a vsphere.local user account and added it to the vCenters on both domains. This worked just fine giving access to all the domains / vCenters. But this is just a workaround. It does not resolve my question as to how I can get people to log on to VCOPs with the domain accounts, and just have access to their relevant Domain and also not to have a VCOPs instance for each domain... Instead of checking the creds on all domains.
Message was edited by: Tottom
vC Ops doesn't leverage SSO as gradinka mentioned, so it's not going to care how it is configured on your vCenter.
vC Ops is going to judge each vCenter individually with respect to user privileges. A user will need to have "vCenter Operations Manager User" at a minimum on the vCenter side, otherwise you won't be able to view the contents of that vCenter through vC Ops. If you can only access one vCenter or there is consistency, I would suggest checking to ensure your privileges have been set consistently across your multiple vCenters.
You mentioned using a vsphere.local user. There really won't be any benefit or difference to using a local account in vC Ops eyes. It just comes down to if you've got the privileges necessary. If you want to verify perms, log in as a particular domain user and launch the monitor/health tab and then pop-out the vC Ops page to see if you can log in. If anything fails along that process, you've found a spot to focus on.