By default, you can connect to the vSphere Client using a local account (localos) or from an account in the SSO domain "vsphere.local" created during the deployment of VMware vCenter Server (or VCSA).
To avoid multiplying the places where you will have to manage different user accounts, you can use the user accounts present on your Active Directory infrastructure by adding your Active Directory domain as an identity source.
To get started, log in as "administrator@vsphere.local" to the vSphere Client: https://vcsa.informatiweb.lan/ui/
Then, go to: Menu -> Administration.
In the left menu, go to "Single Sign-On -> Configuration".
In the "Identity Sources" tab, click "Add identity source".
By default, the selected identity source type is "Active Directory (Windows Integrated Authentication)".
However, this type of identity source requires that the vCenter Server is already linked to an Active Directory domain.
If you are on Windows, you have probably already linked it to an Active Directory domain, so you could use it without any problem by referring to step "2. Add an identity source" of our tutorial on joining VMware vCenter Server (VCSA) to an Active Directory domain.
Otherwise, select "Active Directory over LDAP".
A form will appear with many settings to configure.
To get started, you'll need the LDAP path of where you want user lookups to be performed later by your VMware vCenter Server (or VCSA).
Or in other words, you can limit the search for AD users from vCenter Server to a particular container (CN) or organizational unit (OU) or not.
In our case, we will authorize vCenter Server to search for users in the "Users" folder present by default on your Active Directory infrastructure.
If you want to know the LDAP path of a particular AD object, use the "Active Directory Users and Computers" console and enable advanced features.
Then, in the "Attribute Editor" tab of the desired container (CN) or organizational unit (OU), you will be able to find the distinguishedName (which corresponds to the LDAP path of this Active Directory object).
In our case, this LDAP path is therefore: CN=Users,DC=informatiweb,DC=lan.
For the example, we created an organizational unit "Groups" at the root of our Active Directory domain.
In our case, its LDAP path is: OU=Groups,DC=informatiweb,DC=lan.
In the large form that appeared by selecting "Identity source type: Active Directory over LDAP", specify this:
For more information on configuring these settings, refer to the "Active Directory LDAP Server and OpenLDAP Server Identity Source Settings" page of the official VMware documentation.
To learn more about the ports used by Active Directory, refer to the "How to configure a firewall for Active Directory domains and trusts" page of the official Microsoft documentation.
The new "Active Directory" identity source appears.
Currently, users in your Active Directory domain must specify their username, as well as the domain name they are a part of.
In our case, to connect with the Administrator account of our Active Directory domain, we should therefore also specify our Active Directory domain name "informatiweb.lan" when connecting to this vSphere Client.
To make this optional, simply set your Active Directory identity source as the default.
So, when a user tries to connect without specifying a domain name, vCenter Server will attempt to authenticate them using the Active Directory domain name defined here by default.
In short, select your data source "Active Directory" and click "Set as default".
Source : Set the Default Domain for vCenter Single Sign-On.
Confirm by clicking OK.
Your Active Directory identity source has been set as "default".
For the example, we have created a new user "InformatiUser" in the "Users" folder of our Active Directory domain "informatiweb.lan".
Go to: Single Sign On -> Users and Groups.
By default, the list of local vCenter Server users appears.
As you can see, these are part of the "localos" domain.
On the other hand, if you select your Active Directory domain in this "Domain" list, you will see your Active Directory users appear.
In our case, we see in particular our new Active Directory user "InformatiUser".
By default, vCenter Server offers several groups.
To see the list of these groups, go to "Single Sign On -> Users and Groups -> Groups".
In this list, you will find in particular the "Administrators" group to which all rights are granted.
This group contains the "administrator@vsphere.local" account that you are probably logged in with at the moment.
Click on the name of this group "Administrators".
Then, click: Add members.
In the "Edit Group" box that appears, select your Active Directory domain in the "Add Members" line and type the name of a user you want to add there.
In our case, the "Administrator" user account of our domain.
The desired user appears in green.
Click Save.
The desired user appears in the list of members of this "Administrators" group.
Log out of the vSphere Client to test the connection with an account in your Active Directory domain.
On the "VMware vSphere" login page that appears, log in with the Active Directory user account you just added in the "Administrators" group.
In our case, the user "Administrateur@informatiweb.lan".
Note that since we had set our "informatiweb.lan" identity source as default, we could also simply specify "Administrator" to log in with the same Active Directory account.
As expected, we are well connected to the vSphere Client with our "Administrator" user account from our "informatiweb.lan" domain.
VMware 9/2/2022
VMware 9/6/2024
VMware 6/5/2024
VMware 10/30/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment