VCP6–Objective 1.3–Enable SSO & Active Directory Integration

For this objective I use the following resources:

Knowledge

Configure/Manage Active Directory Authentication

Configuration of the VMware Single Sign-On service can only be completed via the vSphere Web Client, the settings are not exposed/present in the vSphere “thick” client.

  • From within the vSphere Web Client Home screen, click Administration in the left hand navigation menu
  • In the left hand pane under Single Sign-On select Configuration
  • In the right hand pane select the Identity Sources tab
  • Click the Green Plus Sign to add a new identity source
  • Select the Identity Source Type and complete the remaining fields. (Example below is using Active Directory (Integrated Windows Authentication)

Identity_Source

 

Configure/Manage Platform Services Controller (PSC)

New to vSphere 6.0 is the Platform Services Controller (PSC), though some of the components should be familiar for those who have worked with vSphere 5.x. The PSC is comprised of the following services:

  • vCenter Single Sign-On
  • vSphere License Service
  • VMware Certificate Authority (new to vsphere 6.x)

Deploying vCenter Server with PSC is supported in one of two deployment methods and with varying topologies:

        • vCenter Server with an embedded PSC – All services bundled with the Platform Services Controller are deployed on the same virtual machine or physical server.
        • vCenter Server with an external PSC – The services bundled with the PSC and vCenter Server are deployed on different virtual machines or physical servers. You first must deploy the PSC on one virtual machine or physical server and then deploy vCenter Server on another virtual machine or physical server.

NOTE – You cannot switch the models after deployment, which means that after you deploy vCenter Server with an embedded Platform Services Controller, you cannot switch to vCenter Server with an external Platform Services Controller, and the reverse.

Advantages of installing vCenter Server with an embedded PSC:

  • The connection between vCenter Server and the Platform Services Controller is not over the network, and vCenter Server is not prone to outages because of connectivity and name resolution issues between vCenter Server and the Platform Services Controller.
  • If you install vCenter Server on Windows virtual machines or physical servers, you will need fewer Windows licenses.
  • You will have to manage fewer virtual machines or physical servers.
  • You do not need a load balancer to distribute the load across Platform Services Controller.

Disadvantages of installing vCenter Server with an embedded PSC:

  • There is a Platform Services Controller for each product which might be more than required. This consumes more resources.
  • The model is suitable for small-scale environments.

Advantages of installing vCenter Server with an external PSC:

  • Less resources consumed by the combined services in the Platform Services Controllers enables a reduced footprint and reduced maintenance.
  • Your environment can consist of more vCenter Server instances.

Disadvantages of installing vCenter Server with an external PSC:

  • The connection between vCenter Server and Platform Services Controller is over the network and is prone to connectivity and name resolution issues.
  • If you install vCenter Server on Windows virtual machines or physical servers, you need more
    Microsoft Windows licenses.
  • You must manage more virtual machines or physical servers.

For additional details, FAQ’s, supported topologies,etc, have a look at the following VMware KB articles and blog posts:

Configure/Manage VMware Certificate Authority (VMCA)

In vSphere 6 and moving forward the VMware Certificate Authority (VMCA) provisions each new ESXi host with a signed certificate using the VMCA as the root authority. If you are upgrading your environment from a previous version (vsphere 5.5 or older) the upgrade process will replace the default self-signed certificates with VMCA signed certificates (if using custom third party certificates, those certificates will be maintained).

There are three certificate modes supported in vSphere 6.x:

  • VMCA –  By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In this mode, users can manage certificates from the vSphere Web Client. Also used if VMCA is a subordinate certificate.
  • Custom Certificate Authority – Some customers might prefer to manage their own external certificate authority. In this mode, customers are responsible for managing the certificates and cannot manage them from the vSphere Web Client.
  • Thumbprint Mode –  vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere 6.0. Do not use this mode unless you encounter problems with one of the other two modes that you cannot resolve. Some vCenter 6.0 and later services might not work correctly in thumbprint mode.

If you want to the change the Certificate Mode from the default VMCA mode to either Custom or Thumbprint complete the following:

    • From within the vSphere Web Client Home screen, click Hosts and Clusters in the right hand pane
    • In the left hand pane select the vCenter Server at the root of the tree
    • In the right hand pane select the Manage tab and select Settings
    • Under Settings select Advanced Settings click Edit
    • In the Filter box type in certmgmt to display only certificate management keys
    • Scroll down till you see the setting vpxd.certmgmt.mode, here you can change the value to custom or thumbprint (you will see the default setting of vmca)
    • Click OK after changing the key value
    • Restart the vCenter Server Service for the changes to be applied

Advanced_Server_Settings

Enable/Disable Single Sign-On (SSO) Users

Remember, anything having to do with configuring Single Sign-On (SSO) you will need to use the vSphere Web Client to complete the work.

Add a SSO User

  • Log into the vSphere Web Client with administrative privileges (either administrator@vsphere.local or a user account with SSO administrative rights)
  • From the Home screen in the vSphere Web Client, select Administration in the left hand navigation
  • Expand Single Sign-On and select Users and Groups
  • In the right hand navigation pane select the Users tab
  • Click the Green Plus Sign to add a new user
  • Provide the User Name and Password
  • (Optional) Provide First name, Last name, email address, and Description
  • Click OK to complete

New_User_SSO

With the user account created we will need to add him/her to a SSO Group:

  • Log into the vSphere Web Client with administrative privileges (either administrator@vsphere.local or a user account with SSO administrative rights)
  • From the Home screen in the vSphere Web Client, select Administration in the left hand navigation
  • Expand Single Sign-On and select Users and Groups
  • In the right hand navigation pane select the Groups tab
  • Select a Group from the list and click the Add Member icon
  • In the Add Principals dialog will be displayed, from the Domain drop down menu select vSphere.local
  • In the Users and Groups list search for the newly created account
  • Highlight the account and click Add followed by OK to complete

Add_User_SSO

    To disable a SSO user account:
  • Log into the vSphere Web Client with administrative privileges (either administrator@vsphere.local or a user account with SSO administrative rights)
  • From the Home screen in the vSphere Web Client, select Administration in the left hand navigation
  • Expand Single Sign-On and select Users and Groups
  • In the right hand navigation pane select the Users tab
  • Select the user you wish to Disable from the list
  • Click the Disable User icon (red circle with a slash) to disable the account

Disable_User_SSO

 

Identify Available Authentication Methods with VMware vCenter

This seems a bit repetitive as we covered adding Active Directory as an authentication source earlier in this objective. So the process is similar to above, though you could choose other authentication methods that are supported, such as:

  • Active Directory (Integrated Windows Authentication)
  • Active Directory as an LDAP Server
  • Open LDAP
  • Local OS

Add_Identity_Source

For completeness, below are the steps to access the Add Identity Sources dialog:

  • From within the vSphere Web Client Home screen, click Administration in the left hand navigation menu
  • In the left hand pane under Single Sign-On select Configuration
  • In the right hand pane select the Identity Sources tab
  • Click the Green Plus Sign to add a new identity source
  • Select the Identity Source Type and complete the remaining fields.

Happy Studying,

-Jason