In the previous article, I wrote an article about how to create a user account on vCenter Server Appliances (vCSA). This method will be very beneficial for us if we do not have an Active Directory (AD) server for user account back end, so we could directly use Linux user account which exists on vCSA.
How if we already have an Active Directory Server? Whether Active Directory based on Windows server or Active Directory based on Linux+Samba 4 just like Excellent Samba4 Appliance. Although vCSA built from SUSE Linux Enterprise Server, vCSA can also using Active Directory as authentication server.
How does it work? The following instructions are the processes which I do to set the vCSA version 5.5 which use active directory server based on Excellent Samba4 Appliance. These instructions supposedly also work for Windows based AD server.
- Make sure the setting of time between vCSA and AD server using same Network Time Protocol (NTP) server or using the correct date & time settings
- Make A records on DNS server so that AD server or vCSA could recognize one another based on the hostname. The following is the example from my system :
On Domain Controller/AD Server (dc.excellent.co.id) :
dc:~ # nslookup vcenter-lab.excellent.co.id
Address: 192.168.1.254#53Name: vcenter-lab.excellent.co.id
On vCenter Server Appliance(vcenter-lab.excellent.co.id)
vcenter-lab:~ # nslookup dc.excellent.co.id
If the test above still does not work, check DNS and resolving setting (/etc/resolv.conf) on vCSA and make sure the DNS settings has already using proper DNS server. If the setting does not correct yet, we can login to vCSA then run the following command : /opt/vmware/share/vami/vami_config_net and modify network settings to fit with our network environment
- Run the following command to join vCSA domain to AD:
/opt/likewise/bin/domainjoin-cli join domainname.tld email@example.com PasswordAdministrator
For example :
/opt/likewise/bin/domainjoin-cli join excellent.co.id firstname.lastname@example.org PasswordvCenter2014
Joining to AD Domain: excellent.co.id
With Computer DNS Name: vcenter-lab.excellent.co.id
- Open the vCSA web admin on the browser using this address https://hostname-or-IP-vCSA:5480 such as https://vcenter-lab.excellent.co.id:5480 and try to login using user name root (default password: vmware)
- Go to the Authentication page and set the vCSA use AD authentication
- Before restarting the program, go to admin tab and click Yes on SSL regeneration so that the vCSA will automatically setup SSL certificate to match to the host name or the address when joining domain. This process need to be activated as a preventive step to avoid error on vCenter Server Appliance : Failed to Connect to VMware Lookup Service
- Go to System and click Reboot
- After reboot, open vCenter page WebClient port 9443 (such as: https://192.168.1.212:9443/vsphere-client) and login using user name: email@example.com default password : vmware
- Go to menu Administration | Configuration
- Click Add identity source
- Choose Active Directory (Integrated Windows Authentication), Use Machine Account and choose the domain which already set then click OK
- From vCSA web client. Click vCenter Server menu, choose the available server then click tab Manage – Permisions
- Try to add the user permission for the account which come from the AD server, click the plus (+). Choose the domain name/workgroup (usually domain name without TLD and using all capital, such as may domain name: excellent.co.id, so the workgroup = EXCELLENT). vCSA will automatically detect the names of user which exist on AD server
- Set the user permission according to what it needs
- After all process completed, we can login to vCenter either via Web Client or vSphere client by using AD account
Using Active Directory server will simplify the management of user accounts by utilizing Single Sign On (SSO) mechanism.