Platform Service Controller is a new component in vSphere 6.0. The PSC contains all the services that vCenter needs for its functions including Single Sign-On (SSO). This post describes how to configure AD authentication in vCenter Server.
The method shown in this post allows you to manage users and groups in your central directory. This works for both, the vCenter Server installed on Windows Server and the vCenter Server Appliance (VCSA).
- Open vSphere Web Client (https://[vcenter]/vsphere-client).
- Login as Single Sign-On Administrator (VSPHERE.LOCAL) (Password set during installation).
- Navigate to Administration > Single Sign-On > Configuration.
Open the Identity Sources tab and then click the green + to add an Identity Source:
Now we will be able to select several Identity Source types. The two on which we will focus are: Active Directory (Integrated Windows Authentication) and Active Directory as an LDAP Server (more safe).
The first option works with both, Windows-based vCenter Server and vCenter Server Appliance. The underlying system (Windows Server or Infrastructure node of Platform Services Controller) has to be a member of the Active Directory domain.
Using the Active Directory as a LDAP Server instead, we will have to specify some LDAP entities to correctly give the vCenter the ability to read and check domain users. In this case the underlying system (VMware vCenter) is not part of the Active Directory domain.
Fill out the remaining fields as follows:
- Name: Label for identification
- Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is example.lab the DN for the entire directory is “DC=example,DC=lab”.
- Domain name: Your domain name. Example: “example.lab”.
- Domain alias: Your netbios name. Example: “example”.
- Base DN for groups: the Distinguished Name (DN) of the starting point for directory server searches.
- Primary server URL: AD Server URL. You can either query the local directory (Port 389), or the global catalog (Port 3268). Example: “ldap://dc01.example.lab:3268” or “ldap://dc01.example.lab:389”.
- Secondary Server URL: if is present another reference DC server to which you want to focus.
- Username: A user in the AD Domain with at least browse privileges. Example: example\vcentersso.
Press Test Connection to verify AD connection.
- Click OK.
- Back at Identity Sources your AD should appear in the list and from now on you are able to assign vCenter permissions to users and groups from your active directory.
- Select you Active Directory and click the world with arrow button to make AD to your default domain (if you want).
To login with AD users, you have to set permissions. To add a AD user as global Administrator navigate to Administration > Access Control > Global Permissions:
Click Add permission:
Select the Active Directory domain under Domain, choose a user and press Add…
Press OK twice. You should now be able to login to the vCenter 6.5 with your Active Directory account.
Use Windows session authentication
The “Use Windows session authentication” checkbox is disabled unless the Enhanced Authentication Plugin is installed. You can find the download link at the bottom of the login screen.
The vCenter Single Sign-On server is not currently joined to any domain
When the following message is displayed:
|The vCenter Single Sign-On server is not currently joined to any domain. You cannot complete the current operation.|
Join the underlying operating system to an Active Directory domain or use this guide to add the vCenter Server Appliance is an AD.