Problem
If VMware vCenter 5.1 is installed with a local
administrative account and not a domain account, then, when trying to assign
permissions in vCenter via the vSphere Client or vSphere Web Client, the Active
Directory domain will not be listed as an option.
Image: Assign
Permissions – Domain showing only server (local) and SYSTEM-DOMAIN (SSO)
Solution
1) Log on to the vSphere Web Client at https://vcenter.domain.priv:9443/vsphere-client
using the admin@system-domain
account and password
2.1) Home > Administration > Access > SSO Users
and Groups > Groups tab > Click on the blue-half-person icon ‘Add Principals’
2.2) Add
Principals: from the ‘Identity source:’ drop-down, select the vCenter server
> click Search > click on the local Administrator account > click Add
and then OK
Image: Add
Principals, Add local Administrator account
Note: To just get
Active Directory permissions available via the vSphere Client, 2.1 and 2.2 are
not required to be done, just 3. This step is only required so can log into the
vSphere Web Client as Administrator to manage permissions etcetera.
3.1) Home> Administration > Sign-On and Discovery
> Configuration > Identity Sources tab > Click on the green plus icon ‘Add
identity source’
3.2) Add identity
source: for ‘Identity source type’ select ‘Active Directory’
And fill in the ‘Identity source settings’ like below (change
the values as per the domain in question):
Name: DOMAIN
Primary server URL: ldap://dc01.domain.priv
Secondary server URL: ldap://dc02.domain.priv
Base DN for users: cn=users,dc=domain,dc=priv
Domain name: domain.priv
Domain alias: DOMAIN
Base DN for groups: cn=users,dc=domain,dc=priv
Authentication type: Password
Username: administrator@domain.priv
Password: ********
Click ‘Test
Connection’
And if all is okay, click OK
Now, if you log into the vSphere Client or vSphere Web
Client as the local Administrator account, you will be able to grant
permissions to AD Accounts!
Note 1: If you log
into the vSphere Web Client as admin@system-domain, you will see 0 vCenter Servers and this is normal. If wanted the vCenter Server(s) to appear in the vSphere Web
Client when logged in as admin@system-domain, then just give the
admin@system-domain account some permission to vCenter.
Image: vSphere Web
Client 5.1 and 0 vCenters
Note 2: With the
very latest version of VMware vSphere vCenter 5.1, trying to install vCenter
SSO when the vCenter is on a domain but logged in locally, will present
the following warning.
Image: vCenter SSO –
“Automatic discovery of identity sources will not work.”
Note 3: Trying to
install vCenter on a machine in a workgroup presents a different warning.
Image: vCenter SSO –
“Automatic discovery of identity sources and authentication using Security
Support Provider Interface will not work.”
This happen to me recently, and this is good solution!
ReplyDelete