Wednesday, February 20, 2013

Adding Active Directory as an Identity Source for Single Sign On

When you first deploy the vCenter Server Appliance (vCSA), Single Sign On (SSO) does not use Active Directory as an Identity Source.  The SSO service and the vSphere Web Client are configured and integrated as part of the deployment of the vCSA but the default Identity Source is the local OS accounts.

You can update the Identity Source to point to your Active Directory for authentication.  You will first need to login to the vSphere Web Client using the vCSA root account which is an SSO administrator by default.  To login follow these steps:

Login to the vCSA using the Web client and the root or administrative credentials. The vSphere Web Client URL is https://[vCenter Server Appliance]:9443

Navigate to the Administration Tab. Click “Sign-On and Discovery and Configuration as shown in figure 1.01.

imagefigure 1.01 

Under the Identity Sources tab on the right click the “+” to add a new Identity Source. 

As shown in figure 1.02: Select the Identity source type “Active Directory

Type a Name i.e. virtualguru.org

Provide the URL for you AD server i.e. ldap://demoad001.virtualguru.org:3268

Provide the Distinguished Name (Base DN for users) in the format DC=virtualguru, DC=org

In Authentication Type you can select “Reuse Session".  Reuse Session is supported for Active Directory Identity Sources and essentially takes the credentials used to logon to SSO and passes them to the AD Server. 

image figure 1.02

(Note: although in the example we are using the root of the domain you should use a Group within the Active Directory that includes all of your vCenter Administrators and then provide the fully Distinguished Name (DN) of the group. This reduces the amount of time required to lookup  the accounts and provides better security by being more specific. If you are unsure of what the DN is then simply create the group and use a LDAP Browser to browse to the group and read the DN Name as shown in figure 1.03. A great utility is the Softerra LDAP Browser which can be downloaded here.)

image

figure 1.03

No comments:

Post a Comment