VMware vCenter 5.1 - Unable to Grant Permission to Active Directory Domain Accounts

Problem
If VMware vCenter 5.1 is installed with a local administrative account and not a domain account, then, when trying to assign permissions in vCenter via the vSphere Client or vSphere Web Client, the Active Directory domain will not be listed as an option.

Image: Assign Permissions – Domain showing only server (local) and SYSTEM-DOMAIN (SSO)

Solution
1) Log on to the vSphere Web Client at https://vcenter.domain.priv:9443/vsphere-client using the admin@system-domain account and password
2.1) Home > Administration > Access > SSO Users and Groups > Groups tab > Click on the blue-half-person icon ‘Add Principals
2.2) Add Principals: from the ‘Identity source:’ drop-down, select the vCenter server > click Search > click on the local Administrator account > click Add and then OK

Image: Add Principals, Add local Administrator account

Note: To just get Active Directory permissions available via the vSphere Client, 2.1 and 2.2 are not required to be done, just 3. This step is only required so can log into the vSphere Web Client as Administrator to manage permissions etcetera.

3.1) Home> Administration > Sign-On and Discovery > Configuration > Identity Sources tab > Click on the green plus icon ‘Add identity source
3.2) Add identity source: for ‘Identity source type’ select ‘Active Directory
And fill in the ‘Identity source settings’ like below (change the values as per the domain in question):

Name: DOMAIN
Primary server URL: ldap://dc01.domain.priv
Secondary server URL: ldap://dc02.domain.priv
Base DN for users: cn=users,dc=domain,dc=priv
Domain name: domain.priv
Domain alias: DOMAIN
Base DN for groups: cn=users,dc=domain,dc=priv
Authentication type: Password
Username: administrator@domain.priv
Password: ********

Click ‘Test Connection
And if all is okay, click OK

Now, if you log into the vSphere Client or vSphere Web Client as the local Administrator account, you will be able to grant permissions to AD Accounts!

Note 1: If you log into the vSphere Web Client as admin@system-domain, you will see 0 vCenter Servers and this is normal. If wanted the vCenter Server(s) to appear in the vSphere Web Client when logged in as admin@system-domain, then just give the admin@system-domain account some permission to vCenter.

Image: vSphere Web Client 5.1 and 0 vCenters

Note 2: With the very latest version of VMware vSphere vCenter 5.1, trying to install vCenter SSO when the vCenter is on a domain but logged in locally, will present the following warning.

Image: vCenter SSO – “Automatic discovery of identity sources will not work.”

Note 3: Trying to install vCenter on a machine in a workgroup presents a different warning.

Image: vCenter SSO – “Automatic discovery of identity sources and authentication using Security Support Provider Interface will not work.”

Comments

Post a Comment