Sunday, January 17, 2016

vSphere 6 - Single Sign-On with Active Directory

In my previous blog post, I explained how we can access the two vCenter management interfaces: the "WebClient" or the legacy client.

Once logged on, we can, in the Administration section, create other vCenter user accounts with various permissions.

However, many organizations will choose to manage vCenter with groups already existing in Active Directory (or another directory service). It seems more efficient, especially in the case of numerous users, to use existing accounts rather than recreating another username/password combination for all those accessing vCenter.

There is a pre-requisite: we have to configure vCenter so it will allow access to Active Directory users or, better yet, Active Directory groups matching the vCenter roles to which the members of those Active Directory groups will be assigned.

Such a configuration is the subject of this blog post.


First, we access the vCenter Web Client with the credentials entered during the installation process and go to the Administration section:

We want to configure Single Sign-On with Active Directory so we go to the Configuration section designated by the red arrow (below) and then click on the green plus sign:

As the name of the tab suggests, we are going to add another "Identity Source":

We could select individual users from Active Directory but it is usually more efficient to create an Active Directory group and add users designated as vSphere administrators to that group. We then add that Active Directory group to the vSphere administrators group (in vCenter).


So here, I briefly pause the action on the vCenter side and go to Active Directory where I will create a group for vSphere administrators and add a user to that group:

Note: please consult other sources if you need step-by-step directions for creating Active Directory users and groups.


Now I return to vCenter where I enter the following information. You would enter values appropriate for your organization:

Some comments:
  • I select the option "Active Directory as an LDAP Server". You could consider Integrated Windows Authentication also.
  • Some settings are optional (those left blank).
  • I created an Active Directory service account named "vcenter" that vCenter will use to access Active Directory and in particular, perform LDAP queries.

I then click on "Test Connection". If everything is properly configured, we should see this:

Optionally, we can make myvmlab.lan (adjust accordingly for your domain) the default identity source (or default domain):

Now that we can access Active Directory, we will add the vSphere_Admins Active Directory group to the vCenter Administrators group shown below. We go to the "Users and Groups" section of the Administration area, select "Administrators" and then click on the add group members icon (blue arrow):

We then select the domain from which we want to add users (blue arrow below), opt to show groups first and then select (in my example) vSphere_Admins. Lastly, we click on the Add button (red arrow):

Now the vSphere_Admins Active Directory group (and indirectly, any members) is part of the vCenter Administrators group:

If we consult the Roles section, we can observe that the vCenter Administrators group (of which vSphere_Admins is now a member) holds the Administrator role which essentially grants full control over the vSphere environment:

When we logon again, we can now do so as (in my case) "vadmin" which is a member of the vSphere_Admins group:

We can verify that we are connected with our Active Directory credentials by observing the user indicated in the upper right-hand corner of the Web Client interface:

No comments:

Post a Comment