Edit

Configure external identity source for vCenter Server

  • Article

In Azure VMware Solution, vCenter Server has a built-in local user called cloudadmin assigned to the CloudAdmin role. You can configure users and groups in Active Directory (AD) with the CloudAdmin role for your private cloud. In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter Server privileges that differ from other VMware cloud solutions and on-premises deployments.

Important

The local cloudadmin user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.

  • In a vCenter Server and ESXi on-premises deployment, the administrator has access to the vCenter Server administrator@vsphere.local account and the ESXi root account. They can also have more AD users and groups assigned.

  • In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account or the ESXi root account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter Server. The CloudAdmin role doesn't have permissions to add an identity source like on-premises LDAP or LDAPS server to vCenter Server. However, you can use Run commands to add an identity source and assign cloudadmin role to users and groups.

The private cloud user doesn't have access to and can't configure specific management components Microsoft supports and manages. For example, clusters, hosts, datastores, and distributed virtual switches.

Note

In Azure VMware Solution, the vsphere.local SSO domain is provided as a managed resource to support platform operations. It doesn't support the creation and management of local groups and users except for those provided by default with your private cloud.

Note

Execute commands one at a time in the order provided.

In this article, you'll learn how to:

  • (Optional) Export the certificate for LDAPS authentication
  • (Optional) Upload the LDAPS certificate to blob storage and generate a SAS URL
  • Configure NSX-T DNS for resolution to your Active Directory Domain
  • Add Active Directory over (Secure) LDAPS (LDAP over SSL) or (unsecure) LDAP
  • Add existing AD group to cloudadmin group
  • List all existing external identity sources integrated with vCenter Server SSO
  • Assign additional vCenter Server roles to Active Directory identities
  • Remove AD group from the cloudadmin role
  • Remove existing external identity sources

Note

Export the certificate for LDAPS authentication and Upload the LDAPS certificate to blob storage and generate a SAS URL are optional steps. The certificate(s) will be downloaded from the domain controller(s) automatically through the PrimaryUrl and/or SecondaryUrl parameters if the SSLCertificatesSasUrl parameter is not provided. You can still provide SSLCertificatesSasUrl and follow the optional steps to manually export and upload the certificate(s).

Prerequisites

Note

Consult your security or identity management team for more information about LDAPS and certificate issuance.

(Optional) Export the certificate for LDAPS authentication

First, verify that the certificate used for LDAPS is valid. If you don't have a certificate, follow the steps to create a certificate for secure LDAP before continuing.

  1. Sign in to a domain controller with administrator permissions where LDAPS is enabled.

  2. Open the Run command, type mmc, and select OK.

  3. Select File > Add/Remove Snap-in.

  4. Choose Certificates from the list of Snap-ins and select Add>.

  5. In the Certificates snap-in window, select Computer account and then select Next.

  6. Keep Local computer... selected, select Finish, and then OK.

  7. Expand the Personal folder under the Certificates (Local Computer) management console and select the Certificates folder to view the installed certificates.

    Screenshot of the list of certificates in the management console.

  8. Double-click the certificate for LDAPS purposes. Ensure the certificate date Valid from and to is current and the certificate has a private key that corresponds to the certificate.

    Screenshot of the properties of the LDAPS certificate.

  9. In the same window, select the Certification Path tab and verify that the Certification path is valid. It should include the certificate chain of root CA and optional intermediate certificates. Check that the Certificate Status is OK.

    Screenshot of the certificate chain in the Certification Path tab.

  10. Close the window.

Next, export the certificate:

  1. In the Certificates console, right-click the LDAPS certificate and select All Tasks > Export. The Certificate Export Wizard appears. Select Next.
  2. In the Export Private Key section, choose No, do not export the private key and select Next.
  3. In the Export File Format section, select Base-64 encoded X.509(.CER) and select Next.
  4. In the File to Export section, select Browse..., choose a folder location to export the certificate, enter a name, and select Save.

Note

If more than one domain controller is LDAPS enabled, repeat the export procedure for each additional domain controller to export their corresponding certificates. Note that you can only reference two LDAPS servers in the New-LDAPSIdentitySource Run Command. If the certificate is a wildcard certificate, such as *.avsdemo.net, you only need to export the certificate from one of the domain controllers.

(Optional) Upload the LDAPS certificate to blob storage and generate a SAS URL

Important

Remember to copy all SAS URL strings, as they won't be accessible once you leave the page.

Tip

An alternative method for consolidating certificates involves storing all the certificate chains in one file, as detailed in this VMware KB article. Then, generate a single SAS URL for the file that contains all the certificates.

Configure NSX-T DNS for Active Directory domain resolution

Create a DNS zone and add it to the DNS service. Follow the instructions in configure a DNS forwarder in the Azure portal.

After completing these steps, verify that your DNS service includes your DNS zone.

Screenshot of the DNS service with the required DNS zone included.

Your Azure VMware Solution private cloud should now properly resolve your on-premises Active Directory domain name.

Add Active Directory over LDAP with SSL

To add AD over LDAP with SSL as an external identity source to use with SSO into vCenter Server, run the New-LDAPSIdentitySource cmdlet:

  1. Navigate to your Azure VMware Solution private cloud and select Run command > Packages > New-LDAPSIdentitySource.

  2. Provide the required values or modify the default values, and then select Run.

    Field Value
    GroupName The group in the external identity source that grants cloudadmin access. For example, avs-admins.
    SSLCertificatesSasUrl Path to SAS strings containing the certificates for authentication to the AD source. Separate multiple certificates with a comma. For example, pathtocert1,pathtocert2.
    Credential The domain username and password for authentication with the AD source (not cloudadmin). Use the username@avslab.local format.
    BaseDNGroups Location to search for groups. For example, CN=group1, DC=avsldap,DC=local. Base DN is required for LDAP Authentication.
    BaseDNUsers Location to search for valid users. For example, CN=users,DC=avsldap,DC=local. Base DN is required for LDAP Authentication.
    PrimaryUrl Primary URL of the external identity source. For example, ldaps://yourserver.avslab.local.:636.
    SecondaryURL Secondary fallback URL if there is primary failure. For example, ldaps://yourbackupldapserver.avslab.local:636.
    DomainAlias For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the AD domain as an alias of the identity source, typically in the *avsldap* format.
    DomainName The domain's FQDN. For example, avslab.local.
    Name User-friendly name of the external identity source. For example,avslab.local.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name. For example, addexternalIdentity.
    Timeout The period after which a cmdlet exits if it takes too long to finish.

  3. Check Notifications or the Run Execution Status pane to monitor progress and confirm successful completion.

Add Active Directory over LDAP

Note

We recommend that you use the Add Active Directory over LDAP with SSL method.

To add AD over LDAP as an external identity source to use with SSO into vCenter Server, run the New-LDAPIdentitySource cmdlet:

  1. Select Run command > Packages > New-LDAPIdentitySource.

  2. Provide the required values or modify the default values, and then select Run.

    Field Value
    Name User-friendly name of the external identity source. For example, avslab.local. This name will be displayed in vCenter.
    DomainName The domain's FQDN. For example, avslab.local.
    DomainAlias For Active Directory identity sources, the domain's NetBIOS name. Add the AD domain's NetBIOS name as an alias of the identity source, typically in the *avsldap* format.
    PrimaryUrl Primary URL of the external identity source. For example, ldap://yourserver.avslab.local:389.
    SecondaryURL Secondary fallback URL in case of primary failure.
    BaseDNUsers Location to search for valid users. For example, CN=users,DC=avslab,DC=local. Base DN is required for LDAP Authentication.
    BaseDNGroups Location to search for groups. For example, CN=group1, DC=avslab,DC=local. Base DN is required for LDAP Authentication.
    Credential The domain username and password for authentication with the AD source (not cloudadmin). The user must be in the username@avslab.local format.
    GroupName The group in your external identity source that grants cloudadmin access. For example, avs-admins.
    Retain up to Retention period for the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name. For example, addexternalIdentity.
    Timeout The period after which a cmdlet exits if it takes too long to finish.

  3. Check Notifications or the Run Execution Status pane to monitor the progress.

Add existing AD group to a cloudadmin group

Important

Nested groups aren't supported, and their use may cause loss of access.

Users in a cloudadmin group have privileges equal to the cloudadmin (cloudadmin@vsphere.local) role defined in vCenter Server SSO. To add an existing AD group to a cloudadmin group, run the Add-GroupToCloudAdmins cmdlet:

  1. Select Run command > Packages > Add-GroupToCloudAdmins.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    GroupName Name of the group to add. For example, VcAdminGroup.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name. For example, addADgroup.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

List external identity sources

To list all external identity sources already integrated with vCenter Server SSO, run the Get-ExternalIdentitySources cmdlet:

  1. Sign in to the Azure portal.

    Note

    If you need access to the Azure US Gov portal, go to https://portal.azure.us/

  2. Select Run command > Packages > Get-ExternalIdentitySources.

    Screenshot of the Run command menu with available packages in the Azure portal.

  3. Provide the required values or change the default values, and then select Run.

    Screenshot of the Get-ExternalIdentitySources cmdlet in the Run command menu.

    Field Value
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name. For example, getExternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  4. Check Notifications or the Run Execution Status pane to see the progress.

    Screenshot of the Run Execution Status pane in the Azure portal.

Assign more vCenter Server roles to Active Directory identities

After you've added an external identity over LDAP or LDAPS, you can assign vCenter Server roles to Active Directory security groups based on your organization's security controls.

  1. Sign in to vCenter Server with cloudadmin privileges, select an item from the inventory, select the ACTIONS menu, and choose Add Permission.

    Screenshot of the ACTIONS menu in vCenter Server with Add Permission option.

  2. In the Add Permission prompt:

    1. Domain: Select the previously added Active Directory.
    2. User/Group: Enter the desired user or group name, find it, then select it.
    3. Role: Choose the role to assign.
    4. Propagate to children: Optionally, select the checkbox to propagate permissions to child resources. Screenshot of the Add Permission prompt in vCenter Server.

  3. Switch to the Permissions tab and verify the permission assignment was added.

    Screenshot of the Permissions tab in vCenter Server after adding a permission assignment.

  4. Users can now sign in to vCenter Server using their Active Directory credentials.

Remove AD group from the cloudadmin role

To remove a specified AD group from the cloudadmin role, run the Remove-GroupFromCloudAdmins cmdlet:

  1. Select Run command > Packages > Remove-GroupFromCloudAdmins.

  2. Provide the required values or change the default values, then select Run.

    Field Value
    GroupName Name of the group to remove. For example, VcAdminGroup.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name. For example, removeADgroup.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

Remove existing external identity sources

To remove all existing external identity sources in bulk, run the Remove-ExternalIdentitySources cmdlet:

  1. Select Run command > Packages > Remove-ExternalIdentitySources.

  2. Provide the required values or change the default values, then select Run.

    Field Value
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name. For example, remove_externalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

Rotate an existing external identity source account's username and/or password

  1. Rotate the password of the account used for authentication with the AD source in the domain controller.

  2. Select Run command > Packages > Update-IdentitySourceCredential.

  3. Provide the required values and the updated password, and then select Run.

    Field Value
    Credential The domain username and password used for authentication with the AD source (not cloudadmin). The user must be in the username@avslab.local format.
    DomainName The FQDN of the domain. For example, avslab.local.

  4. Check Notifications or the Run Execution Status pane to see the progress.

Important

If you don't provide a DomainName, all external identity sources will be removed. The command Update-IdentitySourceCredential should be run only after the password is rotated in the domain controller.

Next steps

Now that you've learned about how to configure LDAP and LDAPS, explore the following topics: