VMware Cloud Community
Bart_Verbruggen
Enthusiast
Enthusiast
‎10-22-2010 04:44 AM
Jump to solution

Bug in vCenter?

Hi,

I noticed a strange behaviour with vm Host / vCenter permissions.

The directory services type on my hosts is set to Active Directory so I can use my domain credentials to manage my vSphere env.

The thing I noticed is that when I make my user account (not via a group) administrator in vCenter, I can do modifications/config. So far so good.

Normally when I'm administrator, I can also use my vCenter client to login direct on my host with my domain credentials, but this fails!

If I change the permissions in vCenter to use an Active Directory group as administrator and I add my domain user to that group, I can do config and modifications on vCenter AND I can also use my domain account to login to the host.

I find it very strange that I cannot use my domain account to login to a host when this account is made administrator not via a domain group and that I can login to a host when my domain account is administrator via a domain group.

Is this a bug?

Kind regards,

Bart

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks! Bart
0 Kudos
1 Solution

Accepted Solutions
gogogo5
Hot Shot
Hot Shot
‎10-26-2010 10:47 PM
Jump to solution

If you create a domain group called ESX Admins (exactly as shown) and add your domain user accounts to that group, ESX(i) will poll AD and automatically add ESX Admins locally. This will enable you to logon directly to the host using an account that is member of ESX Admins.

See ESXi Configuration Guide, p165 for more info.

-gogogo5

View solution in original post

0 Kudos
2 Replies
Dave_Mishchenko
Immortal
Immortal
‎10-26-2010 09:59 PM
Jump to solution

The directory services type on my hosts is set to Active Directory so I can use my domain credentials to manage my vSphere env.

You only have to enable AD authentication on your hosts if you want to login directly to them (bypassing vCenter) with an AD account. If you don't use AD authentication on your hosts, you can still manage them via vCenter.

If I change the permissions in vCenter to use an Active Directory group as administrator and I add my domain user to that group, I can do config and

modifications on vCenter AND I can also use my domain account to login to the host.

The permissions to login to your host directly are seperate from the permissions you setup in vCenter. When you join a host to vCenter, all interaction between the host and vCenter (and clients connecting via vCenter) is done with the vpxuser account. vCenter just determines what your AD account can and can not do.

To login directly to your ESXi host, you have to grant permissions on the ESXi host directly. If my group or account has admin rights within vCenter, I won't be able to login directly to ESXi with my AD account until I specifically grant permissions on the host to the AD account or group.

Dave

VMware Communities User Moderator

Now available - vSphere Quick Start Guide

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.

0 Kudos
gogogo5
Hot Shot
Hot Shot
‎10-26-2010 10:47 PM
Jump to solution

If you create a domain group called ESX Admins (exactly as shown) and add your domain user accounts to that group, ESX(i) will poll AD and automatically add ESX Admins locally. This will enable you to logon directly to the host using an account that is member of ESX Admins.

See ESXi Configuration Guide, p165 for more info.

-gogogo5

0 Kudos