In the previous article, I wrote an article about how to create a user account on vCenter Server Appliances (vCSA). This method will be very beneficial for us if we do not have an Active Directory (AD) server for user account back end, so we could directly use Linux user account which exists on vCSA.
How if we already have an Active Directory Server? Whether Active Directory based on Windows server or Active Directory based on Linux+Samba 4 just like Excellent Samba4 Appliance. Although vCSA built from SUSE Linux Enterprise Server, vCSA can also using Active Directory as authentication server.
How does it work? The following instructions are the processes which I do to set the vCSA version 5.5 which use active directory server based on Excellent Samba4 Appliance. These instructions supposedly also work for Windows based AD server.

  1. Make sure the setting of time between vCSA and AD server using same Network Time Protocol (NTP) server or using the correct date & time settings
  2. Make A records on DNS server so that AD server or vCSA could recognize one another based on the hostname. The following is the example from my system :
    On Domain Controller/AD Server (dc.excellent.co.id) :
    [code lang=”bash”]
    dc:~ # nslookup vcenter-lab.excellent.co.id
    Server: 192.168.1.254
    Address: 192.168.1.254#53Name: vcenter-lab.excellent.co.id
    Address: 192.168.1.212
    [/code]
    On vCenter Server Appliance(vcenter-lab.excellent.co.id)
    [code lang=”bash”]
    vcenter-lab:~ # nslookup dc.excellent.co.id
    Server: 192.168.1.254
    Address: 192.168.1.254#53
    Name: dc.excellent.co.id
    Address: 192.168.1.254
    [/code]
    If the test above still does not work, check DNS and resolving setting (/etc/resolv.conf) on vCSA and make sure the DNS settings has already using proper DNS server. If the setting does not correct yet, we can login to vCSA then run the following command : /opt/vmware/share/vami/vami_config_net and modify network settings to fit with our network environment
  3. Run the following command to join vCSA domain to AD:
    /opt/likewise/bin/domainjoin-cli join domainname.tld
    administrator@domainname.tld PasswordAdministrator
    For example :
    [code lang=”bash”]
    /opt/likewise/bin/domainjoin-cli join excellent.co.id administrator@excellent.co.id PasswordvCenter2014
    Joining to AD Domain: excellent.co.id
    With Computer DNS Name: vcenter-lab.excellent.co.id
    SUCCESS
    [/code]
  4. Open the vCSA web admin on the browser using this address https://hostname-or-IP-vCSA:5480 such as https://vcenter-lab.excellent.co.id:5480 and try to login using user name root (default password: vmware)
  5. Go to the Authentication page and set the vCSA use AD authentication
    vavai-vcenter-server-appliance-ad-authentication-1
  6. Before restarting the program, go to admin tab and click Yes on SSL regeneration so that the vCSA will automatically setup SSL certificate to match to the host name or the address when joining domain. This process need to be activated as a preventive step to avoid error on vCenter Server Appliance : Failed to Connect to VMware Lookup Service
    vavai-vcenter-server-appliance-error-ssl-resolved
  7. Go to System and click Reboot
  8. After reboot, open vCenter page WebClient port 9443 (such as: https://192.168.1.212:9443/vsphere-client) and login using user name:  administrator@vsphere.local default password : vmware
  9. Go to menu Administration | Configuration
  10. Click Add identity source
  11. Choose Active Directory (Integrated Windows Authentication), Use Machine Account and choose the domain which already set then click OK
    vavai-vcenter-server-appliance-ad-authentication-2
  12. From vCSA web client. Click vCenter Server menu, choose the available server then click tab Manage – Permisions
    vavai-vcenter-server-appliance-ad-authentication-3
  13. Try to add the user permission for the account which come from the AD server, click the plus (+). Choose the domain name/workgroup (usually domain name without TLD and using all capital, such as may domain name: excellent.co.id, so the workgroup = EXCELLENT). vCSA will  automatically detect the names of user which exist on AD server
    vavai-vcenter-server-appliance-ad-authentication-4
  14. Set the user permission according to what it needs
  15. After all process completed, we can login to vCenter  either via  Web Client or vSphere client by using AD account
    vavai-vcenter-server-appliance-ad-authentication-5

Using  Active Directory server will simplify the management of user accounts by utilizing Single Sign On (SSO) mechanism.

3 thoughts on “VMware How To : vCenter Server Appliance Using Active Directory Account”
  1. Error: Idm client exception: Operations error on vCSA 5.5.0 b same error i’ve been having. I’ve always had to add AD as an LDAP server. Any suggestions?

  2. Error: Idm client exception: Operations error on vCSA 5.5.0 b same error i’ve been having. I’ve always had to add AD as an LDAP server. Any suggestions?

Leave a Reply

Your email address will not be published.