Clearpath’s Blog on IT Infrastructure, Hybrid Clouds and IT Security

Configuring vCenter Server and ESXi to Use the Same Identity Source

Posted by Jason Shiplett on Thu, Feb 07, 2013 @ 09:59 AM
For the most part, the same group of admins will end up with a need for administrative access to both vCenter Server and ESXi hosts. To facilitate ease of administration, as well as to provide a clear audit trail, ESXi and vCenter Server should authenticate user access through the same identity source. This article will outline how to make ESXi 5.1 and vCenter Server 5.1 (with a little help from Single Sign-On) authenticate against the same identity source, as well as give a group of admins access to both.
Contact Clearpath's VMware Licensing and Professional Services TeamConfiguring ESXi Authentication Services

First, we’ll need to create the ESX Admins group in Active Directory and populate it with users. This is the group that ESXi will give administrative rights once ESXi has been configured to authenticate versus AD.


configuring esxi athentication ad users computers resized 600

esxi admins properties resized 600


Next, we need to configure our ESXi hosts to authenticate against Active Directory. This assumes your hosts are already available within vCenter Server.

Web Client

1. Click on your ESXi host in the Hosts and Cluster inventory view, click Manage, Settings, then Authentication Services under System. Click Join Domain.

 

vsphere web client resized 600


2. Fill in your domain name and give proper credentials to join the domain, then click Join Domain. Note that prepending the domain name, e.g. DOMAIN\User, will cause authentication to fail. Either use the user@domain.tld format, or only the user name will suffice.

 

join domain vsphere web client resized 600

You should now see the Active Directory domain configuration as below.


active directory domain config resized 600

C# Client

1. Click on your ESXi host in the Hosts and Cluster inventory view, then click the Configuration tab and Authentication Services under Software


esxi host host cluster inventory resized 600

 

2. Click Properties to bring up the Directory Services Configuration dialog box. Using the Select Directory Service Type drop-down menu, choose Active Directory.

directory services configuration resized 600

3.  Fill in your domain name, and click Join Domain.

directory services configuration resized 600

4. Give proper credentials to join the domain, then click Join Domain. Note that prepending the domain name, e.g. DOMAIN\User, will cause authentication to fail. Either use the user@domain.tld format, or only the user name will suffice.

join domain shiplett local resized 600

You should now see the Active Directory domain configuration as below.

active directory domain config shiplett local resized 600

To show that authentication is actually working, I’ll SSH into that ESXi host and log in using Active Directory user credentials.

authentication active directory esxi host resized 600

Configuring vCenter Single Sign On

Since I want my vSphere administrators to be able to fully control my entire vSphere stack, I’m going to give them administrative rights in vCenter Single Sign on.

1. Log in to the vCenter Server Web Client using the admin@system-domain user.

 

vcenter server web client resized 600

2. Click Administration on the left-hand side of the window

 

vcenter server web client admin resized 600

3. Click SSO Users and Groups (If you haven’t already configured SSO to use your Active Directory domain as an Identity Source, see this article)


vcenter server web client sso users groups resized 600


4. Click the __Administrators__ Group, then click the Add Principals button.


vcenter web client sso users groups admin resized 600


5. Click the Identity Source drop-down menu, and choose your Active Directory domain.

identity source active directory resized 600


6. Search the domain for the group ESX Admins. Select your ESX Admins group, then click Add. Click OK when finished.


esx admins group resized 600


You should now see your ESX Admins group as a Principal for the __Administrators__ SSO Group.


esx admins group principal resized 600


Configuring vCenter Server Permissions

An interesting thing happens after giving vCenter SSO permissions: a thing which does well to delineate the relationship between vCenter Server and vCenter Single Sign On permissions.


config vcenter server permissions resized 600


I can log in to the vCenter Server Web Client with my vSphere Admin account, but I see an empty inventory since that account has no rights within vCenter Server. Now, let’s give it some permissions.


Web Client

1. Log into vCenter Web Client as an administrator.
2. Select the vCenter Server object in the Hosts and Clusters inventory view. Click Manage, then Permissions.


vcenter servers host clusters resized 600


3. Click the + icon to add permissions.

 

vcenter servers add permissions resized 600


4. Click Add to add a new group. Click the Domain drop-down menu and choose your Active Directory domain.


vcenter servers select users resized 600

5. Search for ESX Admins, select the ESX Admins group, and click Add. Click OK.

 

select esx admins group resized 600

6. Click the drop-down menu under Assigned Role and choose Administrator. Click OK to finish adding the permissions.


vcenter assign role admin resized 600

vcenter assign role admin manage resized 600

Now, if I log in with my vSphere Admin account…

login vmware vsphere web client resized 600

I have full administrative rights to my vCenter Server.

full admin rights vcenter server resized 600


C# Client

1. Log in to vCenter Server via the C# vSphere Client with a vCenter Server administrator.
2. Select the vCenter Server object in the Hosts and Clusters, then select the Permissions tab.

 

esxi host host cluster inventory resized 600

3. Right click in the white space under listed permissions and click Add Permission
a. Alternately, right click the vCenter Server object and click Add Permission.

c vsphere client add permissions resized 600

4. Click Add under Users and Groups.

assign permissions add user groups resized 600

5. Choose your Active Directory domain in the Domain drop-down menu, then search for ESX Admins. Select the ESX Admins group, click Add, then click OK.

active directory search esx admins resized 600

6. Select Administrator in the Assigned Role drop-down menu, then click OK to finish adding the permissions.

 

assign role administrator resized 600

7. You should now see the ESX Admins group as an administrator under the vCenter Server object.

 

vcenter server object esx admins group resized 600

…and we’re done!

Topics: VMware, vSphere, vCenter

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all
Live Chat Support Software