I just started to learn this and wonder which method is better.
1. Joining vcsa SSO to AD via Active Directory (Integrated Windows Authentication); will require reboot (need to reboot all vcsa in a cluster?), only join to one AD, AD trust to consider, Should join to root of the forest.
2. Join vcsa via AD over LDAP, no reboot, join to multiple AD, any AD trust to consider?... does this mean workstation joined to a Domain can't just use SSO? (like must provide account and password all the time)
Identity Sources for vCenter Server with vCenter Single Sign-On
Extracted from the above link;
"Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources. This identity source type is included for compatibility with the vCenter Single Sign-On service included with vSphere 5.1. Shown as Active Directory as an LDAP Server in the vSphere Client."
Does this mean, this is included mainly to be compatible with vCenter SSO vSphere 5.1 and we should use Active Directory (Integrated Windows Authentication) instead if there isn't vSphere 5.1 around.
If so, why? Because it is easier?
Thanks!
If you are making a new connection to AD I would suggest using LDAP of ADFS. IWA is deprecated. See Re: Unable to login with a AD account
LDAPS please 😉
LDAP will break authentication when Microsoft rolls out the patch regarding ldap signing
Dear bewe, are you referring to this?
VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023) - VMware vSphere Blog
Not aware of this.. Thanks!
yes - this patch was announced for march and was rescheduled to the second half of 2020. dont know if they inform us or release this silently
Thanks jburen!
Checked, only vSphere 7 provide ADFS. For version 6.7, IWA will still be supported still 2025/2027, look like IWA is a good option for vSphere 6.7, since LDAPS look complex to setup. For site with one domain.
For new setup with vSphere 7, you are right, ADFS is a better option. I have not ready start looking into version 7 yet.
Thanks the head up..