- How to use VMware vSAN ReadyNode Configurator - Fri, Dec 17 2021
- VMware Tanzu Kubernetes Toolkit version 1.3 new features - Fri, Dec 10 2021
- Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021
Adding and removing vCenter identity sources, or setting up the default one, is done through the vSphere web client by connecting to vCenter Server. SSO can have several domains attached to identity sources, depending on the one set as the default.
All the data about groups and users are stored either locally in the SSO database or retrieved and searched through Microsoft Active Directory (AD)/Open LDAP systems, if those are configured.
Note: There is only one default domain at any given time. You cannot have two default domains at the same time.
Think of the identity provider as a service that manages identity sources and authenticates users. Examples of an identity provider include Microsoft AD Federation Services (ADFS) or vCenter SSO.
Which type of identity sources are supported in vCenter Server 7?
- Microsoft AD over LDAP—SSO supports multiple AD over LDAP identity sources
- AD over LDAPS—secure connection by using SSL to the LDAP (LDAP secure)
- Microsoft IWA (Integrated Windows Authentication) – You're allowed to specify a single AD as an identity source. This option allows users to log in to the vCenter Server using your AD accounts.
- Open LDAP—vCenter SSO supports Open LDAP 2.4 and later; multiple Open LDAP identity sources are supported.
The different options are available through the options in the Administration section > SSO config. This section offers different identity provider options.
How to set up a default identity source via vSphere client
Connect to the vCenter Server with the default administrator@vsphere.local login and password. This is the default that you created during the installation process. (Note: if you created a different domain during the installation, connect via administrator@yourdomain.)
Go to Home > Administration > Single Sign-On > Configuration > Identity Provider tab.
How to set up default identity source
When you click the button, an overlay window opens where you'll be asked whether you want to proceed.
Set default identity source validation
You have the details about the domain, alias, type, server URL, or name. After selecting one of the connections via the radio button, you can edit, set as default, or remove the connection.
Outside the Identity Provider tab, there is also a Local Accounts tab where you can specify and change password policy or account lockout policy. These policies are for the local SSO accounts only.
How about the near future with Microsoft AD security changes?
The Integrated Windows Authentication option is used by many admins, as this is the easiest way of integrating with existing Microsoft AD environments. However, Microsoft plans to change the default behavior of AD to require strong authentication and encryption.
After the changes, the Integrated Windows Authentication won't work as expected. You won't be able to search for users and groups to SSO, and there are some other incompatibilities.
While Integrated Windows Authentication works for now, Microsoft plans to secure AD further. This will affect VMware configurations, as there will be a hard requirement to use strong authentication and encryption. If you are using unencrypted LDAP (ldap://, not ldaps://), you’ll need to implement a couple of changes. You'll need to plan and enable LDAPS or use identity federation.
VMware is sending a message here—Integrated Windows Authentication (IWA) is deprecated in vSphere 7. It is still supported but deprecated. Microsoft AD over LDAPS and Identity Federation are the two primary recommendations for connecting vSphere to Active Directory.
Note that if you've added your vCenter Server to your Microsoft AD domain, you're not affected by this upcoming change. You're only affected when using LDAP without adding the vCenter Server to AD.
As you can see, we have already joined our vCenter Server to Microsoft AD, so we should be fine.
Our vCenter Server is joined to AD 1
How do I move from LDAP to LDAPS?
If for some reason you operate on a vCenter Server system that is not joined to AD, the move from LDAP to LDAPS needs a complementary configuration and setup on your DC, as you'll need to install enterprise CA and deal with certificates. I invite you to go through this video from VMware if you need to do so.
Using scripts to manage authentication services
vCenter Server Appliance (VCSA) has a built-in command called sso-config for managing configuration services. You can have a look at different options by running sso-config -help.
There is another one, service-control, that allows you to start, stop, and list services. Use service-control --list-services to show all services and their state.
Use service-control --help for further details.
Final words
VMware vCenter and SSO are crucial parts of vCenter Server administration. Without setting up with Microsoft AD environments properly, you can still leverage the separate vSphere.local domain. In many cases, it is the ideal scenario, as many environments run vSphere as a separate entity. When this is the case, remember to check the local SSO password policies and maximum lifetime or complexity restrictions to use for those local passwords.
vSphere environments can integrate different identity sources, but only one can be set by default. Remember that choosing the right identity source is one of the core decisions when planning for a new virtualization project.
There is another possibility for authenticating users via smart cards. Configuring smart card authentication requires setting up a reverse proxy first and then enabling and configuring the smart card authentication itself. You can find further details in VMware's documentation.
Subscribe to 4sysops newsletter!
This post is part of the Free VCP7-DCV 2020 community study guide allowing VMware administrators to pass the VCP-DCV 2020 certification exam based on the VMware vSphere 7 product. Have a look at other lessons from this guide on the VCP7-DCV 2020 page of the ESX Virtualization blog.
Suppose I have to enter User Name, a user in the domain and Password in order to add an AD identity source.
Will it require an account with a password that never expires?