We got our lab working using this article, but we need to connect it to Active Directory to make it more useful. So lets get started.
This process is sort of like in the past, meaning we used the VCSA VAMI UI to join a domain and then used the vSphere Web Client to create an Identity Source. But it looks different now as we don’t have a VAMI UI. But just follow along and it will work.
Joining a domain
- We start at the Home Location and select System Configuration.
- Next we select Nodes, followed by selecting our PSC machine, and then changing to the Manage tab.
- Now we can use the Join button, as seen above on the far right to join the Active Directory domain.
- Several things to note here. First, the OU is optional as seen above. Second, make sure to NOT use domain\username but rather username@domain as seen above. And third, I used a non admin account for this. It only needs the ability to join a domain.
- Now, make sure you restart your PSC VM, and wait for it to come back. Make sure you see your domain name in the window before proceeding.
If you have multiple PSC appliances it is recommended to join each one to the AD domain.
Creating an Identity Source
- We will start at the Home location and select Administration.
- Once in the Administration area we need to select Configuration followed by Identity Sources as seen below.
- The next thing is to actually create an Identity Source. So we use the green + sign as seen above as number 3.
- We want to use the Active Directory (Integrated Windows Authentication) option and to Use machine account. This is easy for us as there is no account information to manage, and you can use this option with modern Active Directory with no issues. It is a best practice to use this option if possible.
- You should now see your domain name list in the Identity Sources. You should select it and use the world icon to make it the default domain.
- With your domain as the default the screen will change a little.
- We can see (default) beside our domain name in the Domain column.
- We are not yet ready to test! After all there is no users that have access other then the administrator account we are using.
Providing Users with Access
We need to do a few things before we test this out.
- We start on Home.
- Select Hosts and Clusters.
- You are likely now with your vCenter selected. Right Click on it.
- Now select Add Permission and you will see what you have likely seen before!
- This screen has not changed much through the ages. Use the Add button in the bottom left to pick the user or group from your AD, and then pick the role on the right. I do suggest using groups where possible, and using already created roles wherever possible.
- Note how I have a group with a role of Administrator and that in the lower center you can see it will propagate to children? This is important as most often you will need your rights to propagate but you do not have to do that if it doesn’t make sense.
- BTW, once you save your permission decision, you will see the normal tabs of vCenter (Summary, Monitor, Manage and Related Objects). The reason above we right clicked and did permissions above is due to the normal tabs not being visible but once you did the assignment of rights you will see more.
You have now provisioned a group of people that can use vCenter. Time to test it out.
I was able to log in using user_account@domain and as user_account. I can log in as user_account since I have set my domain – and so did you above – as default.
I hope that this is all clear and helpful. Let me know if you have questions or concerns.
=== END ===