How to set up vCenter 7 identity sources

During a vCenter Server login process, when a user logs in with just a user name, vCenter single sign-on (SSO) verifies the default identity source and determines whether the user has the right to connect. If the user tries to log in with a domain name on the login screen, vCenter Server 7 and SSO check the specific domain if the domain has been added as an identity source.

Author
Recent Posts

Vladan Seget

Vladan Seget is an independent consultant, professional blogger, vExpert 2009-2021, VCAP-DCA/DCD and MCSA. He has been working for over 20 years as a system engineer.

Which type of identity sources are supported in vCenter Server 7?

Microsoft AD over LDAP—SSO supports multiple AD over LDAP identity sources
AD over LDAPS—secure connection by using SSL to the LDAP (LDAP secure)
Microsoft IWA (Integrated Windows Authentication) – You're allowed to specify a single AD as an identity source. This option allows users to log in to the vCenter Server using your AD accounts.
Open LDAP—vCenter SSO supports Open LDAP 2.4 and later; multiple Open LDAP identity sources are supported.

The different options are available through the options in the Administration section > SSO config. This section offers different identity provider options.

How to set up a default identity source via vSphere client

Connect to the vCenter Server with the default administrator@vsphere.local login and password. This is the default that you created during the installation process. (Note: if you created a different domain during the installation, connect via administrator@yourdomain.)

Go to Home > Administration > Single Sign-On > Configuration > Identity Provider tab.

How to set up default identity source

When you click the button, an overlay window opens where you'll be asked whether you want to proceed.

Set default identity source validation

You have the details about the domain, alias, type, server URL, or name. After selecting one of the connections via the radio button, you can edit, set as default, or remove the connection.

Outside the Identity Provider tab, there is also a Local Accounts tab where you can specify and change password policy or account lockout policy. These policies are for the local SSO accounts only.

How about the near future with Microsoft AD security changes?

The Integrated Windows Authentication option is used by many admins, as this is the easiest way of integrating with existing Microsoft AD environments. However, Microsoft plans to change the default behavior of AD to require strong authentication and encryption.

After the changes, the Integrated Windows Authentication won't work as expected. You won't be able to search for users and groups to SSO, and there are some other incompatibilities.

While Integrated Windows Authentication works for now, Microsoft plans to secure AD further. This will affect VMware configurations, as there will be a hard requirement to use strong authentication and encryption. If you are using unencrypted LDAP (ldap://, not ldaps://), you’ll need to implement a couple of changes. You'll need to plan and enable LDAPS or use identity federation.

VMware is sending a message here—Integrated Windows Authentication (IWA) is deprecated in vSphere 7. It is still supported but deprecated. Microsoft AD over LDAPS and Identity Federation are the two primary recommendations for connecting vSphere to Active Directory.

Note that if you've added your vCenter Server to your Microsoft AD domain, you're not affected by this upcoming change. You're only affected when using LDAP without adding the vCenter Server to AD.

As you can see, we have already joined our vCenter Server to Microsoft AD, so we should be fine.

Our vCenter Server is joined to AD 1

How do I move from LDAP to LDAPS?

If for some reason you operate on a vCenter Server system that is not joined to AD, the move from LDAP to LDAPS needs a complementary configuration and setup on your DC, as you'll need to install enterprise CA and deal with certificates. I invite you to go through this video from VMware if you need to do so.

Using scripts to manage authentication services

vCenter Server Appliance (VCSA) has a built-in command called sso-config for managing configuration services. You can have a look at different options by running sso-config -help.

There is another one, service-control, that allows you to start, stop, and list services. Use service-control --list-services to show all services and their state.

Use service-control --help for further details.

Final words

VMware vCenter and SSO are crucial parts of vCenter Server administration. Without setting up with Microsoft AD environments properly, you can still leverage the separate vSphere.local domain. In many cases, it is the ideal scenario, as many environments run vSphere as a separate entity. When this is the case, remember to check the local SSO password policies and maximum lifetime or complexity restrictions to use for those local passwords.

vSphere environments can integrate different identity sources, but only one can be set by default. Remember that choosing the right identity source is one of the core decisions when planning for a new virtualization project.

There is another possibility for authenticating users via smart cards. Configuring smart card authentication requires setting up a reverse proxy first and then enabling and configuring the smart card authentication itself. You can find further details in VMware's documentation.

Subscribe to 4sysops newsletter!

This post is part of the Free VCP7-DCV 2020 community study guide allowing VMware administrators to pass the VCP-DCV 2020 certification exam based on the VMware vSphere 7 product. Have a look at other lessons from this guide on the VCP7-DCV 2020 page of the ESX Virtualization blog.

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!