vCenter offers several ways to authenticate users including local OS authentication, SSO provided by PSC and Active Directory authentication. Today we will configure AD authentication and assign global permission to a user group from AD.
For the initial configuration vCenter windows, instance and the appliance version has a slight difference. I will only illustrate the steps required to configure VCSA as the windows edition is set to phase out after the current (v.6.7) version.
First, log into the vCenter Client (HTML5) and navigate to administration from the menu.
Then, select configuration under Single Sign On, and select Active Directory Domain from the tabs. Then, click on Join AD.
Provide the required details and click join.
If the node successfully joined the Active Directory you will receive a message. Reboot the vCenter node to complete the configuration.
If you logged into the Active Directory Domain Controller you can verify the configuration as a machine account will be created under computers within the specified domain.
For the next step, log back into vCenter after reboot completed and again navigate to administration -> Single sign on -> Configuration.
Select identity Sources from the tab menu and click on add identity source.
Select “Active Directory (Windows Integrated Authentication)” as the source type and select “Use Machine Account” and then click add to continue.
New identity source should be listed as below, Now you have configured AD authentication for vCenter.
Finally, we will provide permission for a user group from AD.
Navigate to global permissions under the administration and click on the + sign on the top.
Then, Under User select the AD domain from the drop-down and search for the required group. Select the group name from the list and the required role from the menu under the Role for the group.
Finally, If you want this permission to propagate to child objects tick the “Propagate to children” checkbox.
After everything completes click ok to apply changes.
References:
