Citrix XenServer - Active Directory authentication

Page 3 / 3

7. Adding AD users and groups to the XenServer server

As mentioned earlier, roles can be associated with AD users, as well as AD groups.
Now that your XenServer server is joined to your domain, you can add users and groups from your Active Directory to manage users on your XenServer server.

To begin, click on "Add".

Specify the name(s) of the AD user(s) you want to use to manage your XenServer server.
Note : as indicated by XenCenter, you can add multiple users at once by separating their names with a comma. In addition, if you don't specify the domain name before the username, XenServer will automatically add the domain name specified when joining it to your AD domain.

As you can see, XenServer detected that our users were part of the "INFORMATIWEB" NETBIOS domain.

For now, XenServer knows the 3 users we just added.
Now, we will add our 2 Active Directory groups by also clicking Add.

Enter the names of the two groups separated by commas and click on "Grant Access".

XenServer detects that these two groups are also part of the "INFORMATIWEB" domain.

Now, we can set a role for each of these AD users and groups.

To begin, we will assign a role to the "User3" user.

This user will only have the right to view the statistics of the server and the use of its resources.

Then, select the "xenserver-pool-operators" group and click on "Change Role".

Select the "Pool Operator" role.

And assign the "VM Operator" role to the "xenserver-vm-operators" group.

As you can see here, some users do not have an associated role and a user has a "Read Only" role.
However, you will see that XenServer will assign a role to each of these users.

8. Testing roles associated with AD users and/or groups

8.1. User1 : Pool Operator

To test which user has which role, we will disconnect from the XenServer server and reconnect with one of the AD users.
To do this, right-click the XenServer server and click "Reconnect As".

Enter the username and password of the first user.

As you can see, XenServer has assigned the "Pool Operator" role to this user.
By default, this user doesn't have a role in XenServer, but as this user is in the "XenServer-Pool-Operators" group, he inherited the "Pool Operator" role.

Then, since this user doesn't have the right to access the console of the XenServer server, XenCenter blocks this access.

Also, since the "Pool Operator" role doesn't allow you to change the user rights of the XenServer, you will see that XenCenter will request the credentials of an account authorized to perform this action.

If a user tries to do something that they can't do, XenCenter will refuse to do so and will request the credentials of an account that has at least the required role.
In this case : Pool Admin.

In addition, an alert will appear in the server history.
Note : note that some roles can be used to remove these alerts and others not.

8.2. User2 : VM Operator

Log in with the second user.

Since this user has no role on the XenServer, but is part of the "XenServer-VM-Operators" group, XenServer will assign it the "VM Operator" role.

8.3. User3 : Read Only (promoted to : VM Operator)

Log in with the third user.

For this user, the choice of role is slightly different.
The user "User3" has the role "Read Only", but since this user is in the "XenServer-VM-Operators" group, XenServer will have to choose between the 2 roles available for this user : Read Only or VM Operator.

As you can see in the "Console" tab of the XenServer server, XenCenter displays the 2 "associated" roles of this user.
And as stated in the official XenServer documentation, XenServer will have chosen the highest role (ie : VM Operator).
Note that the user's role is always indicated at the top right : Logged in as: User3 (VM Operator).