Re: local vs. domain user for vCenter Server

1an3 · ‎01-14-2010

What do people prefer (or what is best) when running vCenter server?

A named local account? (eg. server\vcenter-user)

A domain account? (eg. domain\vcenter-user)

local system?

I installed using a named local account to enable Windows Authentication on the local SQL Server.

However when I come to install permissions on things, I can't query LDAP.

The following is in vCenter server logs (vpxd-nn.log):

-- BEGIN task-internal-656297 -- -- vim.UserDirectory.retrieveUserGroups -- 3B8B1D74-5A19-4082-A70C-AFF50BFA2882(77DC54F3-A575-447B-9B3E-FF18C21E2EDE)

Failed to open "LDAP://<domain.removed>": Logon failure: unknown user name or bad password

Failed to logon to the specified domain. Try setting ADS username and password, or running as a domain privileged user.

Is it possible to, as it says, set the ADS username/password to a domain user? (we have an account used for LDAP queries)

Is it possible to change the user which runs vCenter Server (merely by changing the service settings in Computer Management) ?

Thanks

Ian

-

VCP4

msemon1 · ‎01-14-2010

We use a Domain Account. Best practices I believe says is to use SQL authentication instead of Windows Authentication. If you are using remote SQL server I think that is the only option.

Mike

Troy_Clavell · ‎01-14-2010

to take it even a little further, we use AD groups, and actually delete Administrators out of the vCenter permissions.

Also, remember that in order to install vCenter, it must be a member of a domain.

>....The system that you use for your vCenter Server installation must belong to a domain rather than a workgroup

.

http://www.vmware.com/pdf/vsphere4/r40_u1/vsp_40_u1_esx_vc_installation_guide.pdf

RParker · ‎01-14-2010

To add to the other posts, you can use either, it really doesn't matter. ALL that matters is users. If you want users to connect, and your vCenter is not a member of the domain, you must create the users yourself. If your vCenter is a domain member, then you can simple add their domain user accounts to connect.

the vCenter service itself makes no difference, local or not, however it may make things easier since the account is local, and you don't have to worry about domain user restrictions if you have any.

SQL can use either SQL authentication or Mixed (Windows + SQL) but I wouldn't use Windows authentication for this, you don't want a user controlling a SQL server, just the table, so for easier security make the SQL a SQL account only.

That way if something happens on the vCenter machine you don't want accidental propagation of the settings to the SQL server with Windows authentication.

1an3 · ‎01-15-2010

Troy - that's what I want to do, specify AD groups in vCenter to more easily assign permissions.

The problem I have is that the named local account I run vCenter server as cannot read AD - the error I have suggests that the username for ADS can be configured but I can't see how to configure it.

I could try and reconfigure vCenter server service to run as a domain account, but I don't want this to screw up my (also locally installed SQL DB using Windows auth.)

Ian

-

VCP4

Troy_Clavell · ‎01-15-2010

your vCenter Server Service should run as local system. Plus, once you join your vCenter Host to the domain you will have access to all the AD groups/users.

1an3 · ‎01-15-2010

my vCenter server service runs as a local named user called 'vcenter-user' and my vCenter server is a domain member.

?:|

-

VCP4

Troy_Clavell · ‎01-15-2010

run it as local system

1an3 · ‎01-15-2010

but then I can't run SQL Server with Windows Authentication?

-

VCP4

Troy_Clavell · ‎01-15-2010

but then I can't run SQL Server with Windows Authentication?

as far as I know this is not a supported setup anyway. You should use SQL Authentication. As we use SQL Authentication and local system for our vCenter instance, i've never seen this situation.

I would suggest if you can, changing your vcenter server service to local system and use SQL Authentication. This will fix your issue. However, if you can't you may try using domain credentials, instead of local credentials for vCenter. What credentials are you using for your SQL, domain?

http://kb.vmware.com/kb/1003928

1an3 · ‎01-15-2010

From p84 ofthe install guide

Using a User Account for Running vCenter Server with SQL Server
You can use the Microsoft Windows built-in system account or a user account to run vCenter Server. With a
user account, you can enable Windows authentication for SQL Server, and it also provides more security.
The user account must be an administrator on the local machine. In the installation wizard, you specify the
account name as DomainName\Username. You must configure the SQL Server database to allow the domain
account access to SQL Server.
The Microsoft Windows built-in system account has more permissions and rights on the server than the
vCenter Server system needs, which can contribute to security problems. Even if you do not plan to use
Microsoft Windows authentication for SQL Server or you are using an Oracle database, you might want to set
up a local user account for the vCenter Server system. In this case, the only requirement is that the user account
is an administrator on the local machine.

This says that you can use a user account (as opposed to local system) to run vCenter, thereby allowing you to use Windows authentication for SQL Server, and enhancing security. It doesn't say that the account needs to be a domain account, only that the account should be allowed to access the SQL Server. The local user I'm running IS a local admin on the vCenter server box, as per the final sentence.

As per the original error message, does anyone know if it's possible to configure the ADSusername/password?

Ian

-

VCP4

Troy_Clavell · ‎01-15-2010

I understand that, however as stated in the snip you posted, you must use domainname\username. So your setup will not work. If you look at the KB article i posted it will tell you how to get to a supported setup.

The user account must be an administrator on the local machine. In the installation wizard, you specify the
account name as DomainName\Username. You must configure the SQL Server database to allow the domain
account access to SQL Server.

1an3 · ‎01-15-2010

this setup does work, apart from the connection to LDAP, the error for which suggests that the username/password that uses is configurable somehow...

-

VCP4

Troy_Clavell · ‎01-15-2010

ok, you win!

1an3 · ‎01-20-2010

Thanks all for your replies.

Reconfigured the vCenter service(s) to run as domain\vcenter-user (that user is in the local admins group on the server) and now all is well (I can read AD groups into roles/permissions)

All

local vs. domain user for vCenter Server