Starting from version 5.1 of vSphere, VMware introduced the SSO – Single Sign On, a feature which allows us to log on once, and access many cloud components without need to log in all over again. Cute. The SSO database supports local users database, OpenLDAP, Microsoft AD and NIS+. Not sure about versions, so this has to be checked out.
In this short blog, we will set up the SSO to include additional Microsoft AD domain.
For administering the SSO, we must use the vSphere Web Client.
Let’s take a look at the following screenshot:
We can see two things here. First, we must be logged in as admin@System-Domain in order to have the option of changing SSO configuration. Only this user has the right to see the “Sign-On and Discovery->Configuration” option. A password for this user was given during the installation of the SSO. Of course, using this user, we could make an user from a different identity store a permission to make changes to the SSO configuration.
Second, we have our domain in which we installed the VC, already added to the list of identity stores, so we can authenticate our users against that domain.
What if we would like to add another identity store? For example another AD domain. Easy. We click the green plus sign, and a dialog pops up in which we should fill in some data:
First we need to select the identity source type. In this case, it is Active Directory. After giving a name, we need to specify the Primary server URL. This is given in the form of ldap://x.y.z.w:389, where the x.y.z.w is the IP address of other domain’s domain controller, and the TCP/389 is the default LDAP port that domain controller is using.
We should give a domain name and select the authentication type to be Password. Then we specify the username and password combination valid for that domain. This username does not have to be a domain administrator account, but should have complex password and should never expire.
When we click the Test Connection we should get this response:
Once again, if there is a firewall in between the VC and the domain controller, appropriate port should be opened. In this case TCP/389.
Now we have additional domain added to the identity sources:
In a similar fashion we add other supported identity sources.
Once added, we can use the identity source to assign roles/privileges to users from that identity source.
We log out from admin@System-Domain and log in as an user with the admin role on the VC. Then we navigate to the VC we want to set up a new permissions on, select Manage->Permissions and click the green plus sign:
Then we click the Add button:
We select the newly created domain:
Then we search for a user or a group. When searching, we type a part of a name and hit <ENTER>. We select the name, click Add and then OK:
Instead of default Read-only role, we assign the Administrator role (or some other as appropriate):
We must make sure that the option Propagate to children of the <thenameofvcserver> option is selected and we click OK:
Then we have this situation:
Now we can use this user from a different domain to manage the virtual infrastructure. We need to provide our credentials in the form user@somedomain and provide a domain password:
Thanks for reading.