Use Azure AD as an identity provider for vCenter on CloudSimple Private Cloud

  • Article

You can set up your CloudSimple Private Cloud vCenter to authenticate with Azure Active Directory (Azure AD) for your VMware administrators to access vCenter. After the single sign-on identity source is set up, the cloudowner user can add users from the identity source to vCenter.

You can set up your Active Directory domain and domain controllers in any of the following ways:

  • Active Directory domain and domain controllers running on-premises
  • Active Directory domain and domain controllers running on Azure as virtual machines in your Azure subscription
  • New Active Directory domain and domain controllers running in your CloudSimple Private Cloud
  • Azure Active Directory service

This guide explains the tasks required to set up Azure AD as an identity source. For information on using on-premises Active Directory or Active Directory running in Azure, refer to Set up vCenter identity sources to use Active Directory for detailed instructions in setting up the identity source.

About Azure AD

Azure AD is the Microsoft multi-tenant, cloud based directory and identity management service. Azure AD provides a scalable, consistent, and reliable authentication mechanism for users to authenticate and access different services on Azure. It also provides secure LDAP services for any third-party services to use Azure AD as an authentication/identity source. Azure AD combines core directory services, advanced identity governance, and application access management, which can be used for giving access to your Private Cloud for users who administer the Private Cloud.

To use Azure AD as an identity source with vCenter, you must set up Azure AD and Azure AD domain services. Follow these instructions:

  1. How to set up Azure AD and Azure AD domain services
  2. How to set up an identity source on your Private Cloud vCenter

Set up Azure AD and Azure AD domain services

Before you get started, you will need access to your Azure subscription with Global Administrator privileges. The following steps give general guidelines. Details are contained in the Azure documentation.

Azure AD

Note

If you already have Azure AD, you can skip this section.

  1. Set up Azure AD on your subscription as described in Azure AD documentation.
  2. Enable Azure Active Directory Premium on your subscription as described in Sign up for Azure Active Directory Premium.
  3. Set up a custom domain name and verify the custom domain name as described in Add a custom domain name to Azure Active Directory.
    1. Set up a DNS record on your domain registrar with the information provided on Azure.
    2. Set the custom domain name to be the primary domain.

You can optionally configure other Azure AD features. These are not required for enabling vCenter authentication with Azure AD.

Azure AD domain services

Note

This is an important step for enabling Azure AD as an identity source for vCenter. To avoid any issues, ensure that all steps are performed correctly.

  1. Enable Azure AD domain services as described in Enable Azure Active Directory domain services using the Azure portal.

  2. Set up the network that will be used by Azure AD domain services as described in Enable Azure Active Directory Domain Services using the Azure portal.

  3. Configure Administrator Group for managing Azure AD Domain Services as described in Enable Azure Active Directory Domain Services using the Azure portal.

  4. Update DNS settings for your Azure AD Domain Services as described in Enable Azure Active Directory Domain Services. If you want to connect to AD over the Internet, set up the DNS record for the public IP address of the Azure AD domain services to the domain name.

  5. Enable password hash synchronization for users. This step enables synchronization of password hashes required for NT LAN Manager (NTLM) and Kerberos authentication to Azure AD Domain Services. After you've set up password hash synchronization, users can sign in to the managed domain with their corporate credentials. See Enable password hash synchronization to Azure Active Directory Domain Services.

    1. If cloud-only users are present, they must change their password using Azure AD access panel to ensure password hashes are stored in the format required by NTLM or Kerberos. Follow instructions in Enable password hash synchronization to your managed domain for cloud-only user accounts. This step must be done for individual users and any new user who is created in your Azure AD directory using the Azure portal or Azure AD PowerShell cmdlets. Users who require access to Azure AD domain services must use the Azure AD access panel and access their profile to change the password.

      Note

      If your organization has cloud-only user accounts, all users who need to use Azure Active Directory Domain Services must change their passwords. A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. Such user accounts aren't synchronized from an on-premises directory.

    2. If you are synchronizing passwords from your on-premises Active directory, follow the steps in the Active Directory documentation.

  6. Configure secure LDAP on your Azure Active Directory Domain Services as described in Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain.

    1. Upload a certificate for use by secure LDAP as described in the Azure topic obtain a certificate for secure LDAP. CloudSimple recommends using a signed certificate issued by a certificate authority to ensure that vCenter can trust the certificate.
    2. Enable secure LDAP as described Enable secure LDAP (LDAPS) for an Azure AD Domain Services managed domain.
    3. Save the public part of the certificate (without the private key) in .cer format for use with vCenter while configuring the identity source.
    4. If Internet access to the Azure AD domain services is required, enable the 'Allow secure access to LDAP over internet' option.
    5. Add the inbound security rule for the Azure AD Domain services NSG for TCP port 636.

Set up an identity source on your Private Cloud vCenter

  1. Escalate privileges for your Private Cloud vCenter.

  2. Collect the configuration parameters required for setting up of identity source.

    Option Description
    Name Name of the identity source.
    Base DN for users Base distinguished name for users. For Azure AD, use: OU=AADDC Users,DC=<domain>,DC=<domain suffix> Example: OU=AADDC Users,DC=cloudsimplecustomer,DC=com.
    Domain name FQDN of the domain, for example, example.com. Do not provide an IP address in this text box.
    Domain alias (optional) The domain NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.
    Base DN for groups The base distinguished name for groups. For Azure AD, use: OU=AADDC Users,DC=<domain>,DC=<domain suffix> Example: OU=AADDC Users,DC=cloudsimplecustomer,DC=com
    Primary Server URL Primary domain controller LDAP server for the domain.

    Use the format ldaps://hostname:port. The port is typically 636 for LDAPS connections.

    A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.
    Secondary server URL Address of a secondary domain controller LDAP server that is used for failover.
    Choose certificate If you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, a Choose certificate button appears after you type ldaps:// in the URL text box. A secondary URL is not required.
    Username ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
    Password Password of the user who is specified by Username.

  3. Sign in to your Private Cloud vCenter after the privileges are escalated.

  4. Follow the instructions in Add an identity source on vCenter using the values from the previous step to set up Azure Active Directory as an identity source.

  5. Add users/groups from Azure AD to vCenter groups as described in the VMware topic Add Members to a vCenter Single Sign-On Group.

Caution

New users must be added only to Cloud-Owner-Group, Cloud-Global-Cluster-Admin-Group, Cloud-Global-Storage-Admin-Group, Cloud-Global-Network-Admin-Group or, Cloud-Global-VM-Admin-Group. Users added to Administrators group will be removed automatically. Only service accounts must be added to Administrators group.

Next steps