Configure external identity source for vCenter Server

In Azure VMware Solution, vCenter Server has a built-in local user called cloudadmin assigned to the CloudAdmin role. You can configure users and groups in Active Directory (AD) with the CloudAdmin role for your private cloud. In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter Server privileges that differ from other VMware cloud solutions and on-premises deployments.

Important

The local cloudadmin user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.

  • In a vCenter Server and ESXi on-premises deployment, the administrator has access to the vCenter Server administrator@vsphere.local account and the ESXi root account. They can also have more AD users and groups assigned.

  • In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account or the ESXi root account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter Server. The CloudAdmin role doesn't have permissions to add an identity source like on-premises LDAP or LDAPS server to vCenter Server. However, you can use Run commands to add an identity source and assign cloudadmin role to users and groups.

The private cloud user doesn't have access to and can't configure specific management components Microsoft supports and manages. For example, clusters, hosts, datastores, and distributed virtual switches.

Note

In Azure VMware Solution, the vsphere.local SSO domain is provided as a managed resource to support platform operations. It doesn't support the creation and management of local groups and users except for those provided by default with your private cloud.

Note

Run commands are executed one at a time in the order submitted.

In this article, you learn how to:

  • Export the certificate for LDAPS authentication
  • Upload the LDAPS certificate to blob storage and generate a SAS URL
  • Configure NSX-T DNS for resolution to your Active Directory Domain
  • Add Active Directory over (Secure) LDAPS (LDAP over SSL) or (unsecure) LDAP
  • Add existing AD group to cloudadmin group
  • List all existing external identity sources integrated with vCenter Server SSO
  • Assign additional vCenter Server Roles to Active Directory Identities
  • Remove AD group from the cloudadmin role
  • Remove existing external identity sources

Prerequisites

Note

For more information about LDAPS and certificate issuance, see with your security or identity management team.

Export the certificate for LDAPS authentication

First, verify that the certificate used for LDAPS is valid. If you don't already have a certificate, follow the steps to create a certificate for secure LDAP before you continue.

  1. Sign in to a domain controller with administrator permissions where LDAPS is enabled.

  2. Open the Run command, type mmc and select the OK button.

  3. Select the File menu option then Add/Remove Snap-in.

  4. Select the Certificates in the list of Snap-ins and select the Add> button.

  5. In the Certificates snap-in window, select Computer account then select Next.

  6. Keep the first option selected Local computer... , and select Finish, and then OK.

  7. Expand the Personal folder under the Certificates (Local Computer) management console and select the Certificates folder to list the installed certificates.

    Screenshot showing displaying the list of certificates.

  8. Double click the certificate for LDAPS purposes. The Certificate General properties will display. Ensure the certificate date Valid from and to is current and the certificate has a private key that corresponds to the certificate.

    Screenshot showing the properties of the certificate.

  9. On the same window, select the Certification Path tab and verify that the Certification path is valid, which it should include the certificate chain of root CA and optionally intermediate certificates and the Certificate Status is OK.

    Screenshot showing the certificate chain.

  10. Close the window.

Now proceed to export the certificate

  1. Still on the Certificates console, right select the LDAPS certificate and select All Tasks > Export. The Certificate Export Wizard prompt is displayed, select the Next button.

  2. In the Export Private Key section, select the second option, No, do not export the private key and select the Next button.

  3. In the Export File Format section, select the second option, Base-64 encoded X.509(.CER) and then select the Next button.

  4. In the File to Export section, select the Browse... button and select a folder location where to export the certificate, enter a name then select the Save button.

Note

If more than one domain controller is LDAPS enabled, repeat the export procedure in the additional domain controller(s) to also export the corresponding certificate(s). Be aware that you can only reference two LDAPS server in the New-LDAPSIdentitySource Run Command. If the certificate is a wildcard certificate, for example *.avsdemo.net you only need to export the certificate from one of the domain controllers.

Upload the LDAPS certificate to blob storage and generate a SAS URL

Important

Make sure to copy each SAS URL string(s), because they will no longer be available once you leave the page.

Tip

Another alternative method for consolidating certificates is saving the certificate chains in a single file as mentioned in this VMware KB article, and generate a single SAS URL for the file that contains all the certificates.

Configure NSX-T DNS for resolution to your Active Directory Domain

A DNS Zone needs to be created and added to the DNS Service, follow the instructions in Configure a DNS forwarder in the Azure portal to complete these two steps.

After completion, verify that your DNS Service has your DNS zone included. Screenshot showing the DNS Service that includes the required DNS zone.

Your Azure VMware Solution Private cloud should now be able to resolve your on-premises Active Directory domain name properly.

Add Active Directory over LDAP with SSL

In your Azure VMware Solution private cloud, you'll run the New-LDAPSIdentitySource cmdlet to add an AD over LDAP with SSL as an external identity source to use with SSO into vCenter Server.

  1. Browse to your Azure VMware Solution private cloud and then select Run command > Packages > New-LDAPSIdentitySource.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    GroupName The group in the external identity source that gives the cloudadmin access. For example, avs-admins.
    CertificateSAS Path to SAS strings with the certificates for authentication to the AD source. If you're using multiple certificates, separate each SAS string with a comma. For example, pathtocert1,pathtocert2.
    Credential The domain username and password used for authentication with the AD source (not cloudadmin). The user must be in the username@avslab.local format.
    BaseDNGroups Where to look for groups, for example, CN=group1, DC=avsldap,DC=local. Base DN is needed to use LDAP Authentication.
    BaseDNUsers Where to look for valid users, for example, CN=users,DC=avsldap,DC=local. Base DN is needed to use LDAP Authentication.
    PrimaryUrl Primary URL of the external identity source, for example, ldaps://yourserver.avslab.local.:636.
    SecondaryURL Secondary fall-back URL if there's primary failure. For example, ldaps://yourbackupldapserver.avslab.local:636.
    DomainAlias For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the AD domain as an alias of the identity source. Typically the *avsldap* format.
    DomainName The FQDN of the domain, for example avslab.local.
    Name User-friendly name of the external identity source. For example, avslab.local, is how it will be displayed in vCenter.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, addexternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.
  3. Check Notifications or the Run Execution Status pane to see the progress and successful completion.

Add Active Directory over LDAP

Note

We recommend you use the Add Active Directory over LDAP with SSL method.

You'll run the New-LDAPIdentitySource cmdlet to add AD over LDAP as an external identity source to use with SSO into vCenter Server.

  1. Select Run command > Packages > New-LDAPIdentitySource.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    Name User-friendly name of the external identity source, for example, avslab.local. This is how it will be displayed in vCenter.
    DomainName The FQDN of the domain, for example avslab.local.
    DomainAlias For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the AD domain as an alias of the identity source. Typically the *avsldap* format.
    PrimaryUrl Primary URL of the external identity source, for example, ldap://yourserver.avslab.local:389.
    SecondaryURL Secondary fall-back URL if there's primary failure.
    BaseDNUsers Where to look for valid users, for example, CN=users,DC=avslab,DC=local. Base DN is needed to use LDAP Authentication.
    BaseDNGroups Where to look for groups, for example, CN=group1, DC=avslab,DC=local. Base DN is needed to use LDAP Authentication.
    Credential The domain username and password used for authentication with the AD source (not cloudadmin). The user must be in the username@avslab.local format.
    GroupName The group to give cloudadmin access in your external identity source, for example, avs-admins.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, addexternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.
  3. Check Notifications or the Run Execution Status pane to see the progress.

Add existing AD group to cloudadmin group

You'll run the Add-GroupToCloudAdmins cmdlet to add an existing AD group to a cloudadmin group. Users in the cloudadmin group have privileges equal to the cloudadmin (cloudadmin@vsphere.local) role defined in vCenter Server SSO.

  1. Select Run command > Packages > Add-GroupToCloudAdmins.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    GroupName Name of the group to add, for example, VcAdminGroup.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, addADgroup.
    Timeout The period after which a cmdlet exits if taking too long to finish.
  3. Check Notifications or the Run Execution Status pane to see the progress.

List external identity

You'll run the Get-ExternalIdentitySources cmdlet to list all external identity sources already integrated with vCenter Server SSO.

  1. Sign in to the Azure portal.

  2. Select Run command > Packages > Get-ExternalIdentitySources.

    Screenshot showing how to access the run commands available.

  3. Provide the required values or change the default values, and then select Run.

    Screenshot showing how to list external identity source.

    Field Value
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, getExternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.
  4. Check Notifications or the Run Execution Status pane to see the progress.

    Screenshot showing how to check the run commands notification or status.

Assign more vCenter Server Roles to Active Directory Identities

After you've added an external identity over LDAP or LDAPS, you can assign vCenter Server Roles to Active Directory security groups based on your organization's security controls.

  1. After you sign in to vCenter Server with cloudadmin privileges, you can select an item from the inventory, select ACTIONS menu and select Add Permission.

    Screenshot displaying hot to add permission assignment.

  2. In the Add Permission prompt:

    1. Domain. Select the Active Directory that was added previously.
    2. User/Group. Enter the name of the desired user or group to find then select once is found.
    3. Role. Select the desired role to assign.
    4. Propagate to children. Optionally select the checkbox if permissions should be propagated down to children resources. Screenshot displaying assign the permission.
  3. Switch to the Permissions tab and verify the permission assignment was added. Screenshot displaying the add completion of permission assignment.

  4. Users should now be able to sign in to vCenter Server using their Active Directory credentials.

Remove AD group from the cloudadmin role

You'll run the Remove-GroupFromCloudAdmins cmdlet to remove a specified AD group from the cloudadmin role.

  1. Select Run command > Packages > Remove-GroupFromCloudAdmins.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    GroupName Name of the group to remove, for example, VcAdminGroup.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, removeADgroup.
    Timeout The period after which a cmdlet exits if taking too long to finish.
  3. Check Notifications or the Run Execution Status pane to see the progress.

Remove existing external identity sources

You'll run the Remove-ExternalIdentitySources cmdlet to remove all existing external identity sources in bulk.

  1. Select Run command > Packages > Remove-ExternalIdentitySources.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, remove_externalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.
  3. Check Notifications or the Run Execution Status pane to see the progress.

Next steps

Now that you've learned about how to configure LDAP and LDAPS, you can learn more about: