Cross domain VMware authentication

CCtech
CCtech used Ask the Experts™
on
Hello Experts,

I have a production domain of domainA.local.

I have a VMware environment with Vcenter server and several hosts. the Vcenter environment is isolated from domainA.local, in that it uses a DC in domainB.local for DNS.

I would like users from domainA.local to be able to authenticate and log in to vcenter server on domainB.local so we can track what users are making changes. Currently, all users from domainA.local log in to vcenter server with administrator@vsphere.local.

How do I go about this? I'm thinking a one way trust from domainA to domainB, and then allow authentication for users on domainB to vcenter server, even though vcenter server is joined to domainB.

Thanks in advance,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
A couple of ways you can do this:-

1. Create the trust relationship between domains.
2. Add domainA.local also as an authentication source, in SSO, and then select which Default Resource will be expected domainA.local or domainb.local

what this means, is what users need to type in the username box

e.g.  domainb.local\username or  domainA.local\username

to login to vCenter Server

The reason why we do both, is you may not want users being able to use domain resources, e.g. Workstations, Printers etc if you setup a trust then those users, can login, and also user domain resources, if you just add the AD Authentication Source to SSO, they can only login to vCenter.

Author

Commented:
Andrew, I am having trouble with this. I have an identity source listed under SSO on Vcenter server as domainB.local. I can log in to Vcenter as anyuser@domainB.local but I need to be able to log in as anyuser@domainA.local as well.

I do not believe I can add a second identity source to the vcenter server for a second domain, which is why I was thinking of configuring a domain trust relationship. However, I like the route of option 2, I just am not sure how to do so. Thank you,
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
If you cannot add it, then you will need to create the one way or two way trust, this is because of the current method you have employed called Active Directory (Integrated Windows Authentication, which allows only a single Active Directory as an identity source, so you would need to use a one way or two way trust for this method.

(current config)

or,
      
Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources. (which needs re-config).

see here

https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-1F0106C9-0524-4583-9AC5-A748FD1DC4C5.html

Please note a one way or two way trust is easier to configure, be careful you do not break your config,and ability to login!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Can you provide a bit more guidance on this? I have configured the one way trust since you say it would be easier. I can now authenticate to domainb.local windows server with user@domaina.local but I still cannot authenticate to vcenter server with user@domainA.local.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
can you check if user@domainA.local can login to your domain at a PC.

also remember, you will need to type domainA.local\username or whatever the shortname is for that domain.

Author

Commented:
Andrew, Yes. I can log in to a computer on domainB with a user from domainA.
For example, I can RDP to Computer1.domainB.local with the credentials of domainA\username. So, the trust is working, but Vcenter is not allowing domainA\username to connect to it.

Author

Commented:
Also of note, vcenter server is joined to domainB, and any user from domainB can log in to vcenter with domainB\username credentials.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
okay, if you log into the Web Client, using the Administrator@vsphere.local account, and select Administration, Single Sign On.

there is a Domain drop down option, you should see both domains in that list, if you don't the Trust is not correct, or replicated through to SSO.

Check the Identity Source.

Also remember, this could be all in place, but you have not Granted Access in vCenter Server to your Accounts that need access to vCenter Server resources.

e.g. they need to have permissions to access vCenter and Objects!

by default, your default domain domainB, Administrators group is added by default, so you may ave to add users from domainA.

Author

Commented:
Hi Andrew, I may have made some progress...

I log in as administrator@vsphere.local and navigate to Administration -> Single Sign On -> Users and Groups, from the dropdown I see vsphere.local, localos, and domainB.local.

When I select domainB.local from the dropdown I see a list of users that reside in AD in DomainB.local.

I do not see anything in regards to domainA.local.

If I navigate to SSO -> Configuration -> Identity Sources, I see domain of vsphere.loca, localos, and domainB.local - I previously configured Identity source type 'Active Directory (integrated windows authentication), with the domain name of domainb.local, and the option of 'Use Machine Account'.

I CAN log in to the web client using the credentials in the format of domainA\username AND using username@domainA.local, however neither of these work on the thick vsphere client.

Although I can authenticate, when I login I get an error popup immediately; "Client is not authenticated to VMware Inventory Service - http://localhost:10080/invsvc" and when I browse to inventory it is empty, there are no hosts or VMs.

In further troubleshooting, if I log in with any user@domainB.local, I also authenticate and do not get the popup error, but I also have an empty inventory. The only user I can log in and view inventory populated is with the administrator@vsphere.local.

Author

Commented:
Furthermore, I did go in to Administration -> Global Permissions -> + -> and added the group of domainB.local\domain users with administrator rights, and now when I log in with any user@domainB.local I now see inventory.

Still same issue logging in from user@domainA.local.

Author

Commented:
Also I did find this VMware kb article:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2064250#external
So it looks like domain trusts can work in Vcenter SSO, I just cannot make sense of where to configure it within Vcenter.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
using the older vSphere Client, can we try a test?

Author

Commented:
When trying to log in via the older vsphere client no credentials from domainA.local work at all.

Author

Commented:
Andrew, I also found this article from a google search:
http://www.cloud-buddy.com/?p=1769
It looks like the author is adding the identity source as and LDAP server, is this a possibility? Would I need to add the LDS role to the DC in DomainA.local?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
That's what I mentioned in my second post...Active Directory via LDAP, but you would have do undo, your current config...

Using your current working Admin, login to vSphere Client. (not web client)

Click the very top of the tree, e.g. the actual name of the vCenter Server. (e.g. root of tree)

Click Permissons Tab

Right Click Add Permission

Click Add user, now check if you can Add users from

domainb
domaina

Author

Commented:
Andrew, if I follow your steps, within the vsphere client, I still only see the domain of vsphere.local and domainb, I do not have the option of domaina

Author

Commented:
Also, If I need to undo the current config to get this working with LDAP instead that would not really be a big problem. I was looking in to LDAP though and it looks like I would need to configure a CA as well in both domains which I am not fond of so I have been looking for another way to do this without needing a CA.

Author

Commented:
Also not sure if I mentioned but both DCs in both domains are 2012 R2. Will they accept LDAP queries as is without adding the LDS role?
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
Okay, it would appear, that your trust is not working correctly, something is not working.

because this should work correctly, and you should be able to view both domains to pick in the vSphere Client.

I've suggested this method, because it's the quickest and easiest to get working, but choice is yours.

You need add the LDS role

see here

https://technet.microsoft.com/en-GB/library/hh831593.aspx

Author

Commented:
Ok, very strange. Domain trusts are so simple I don't know how it could be not working. I have deleted and re-created two way trust as well. I can log in to DomainA with domainB credentials, and I can log in to DomainB with DomainA credentials.

Is there something else I have to do within vcenter to get it to see the other domain? Is it possible because I have created the domain trusts after vcenter was joined to the domain?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Is there something else I have to do within vcenter to get it to see the other domain? Is it possible because I have created the domain trusts after vcenter was joined to the domain?

that should not make any difference, but vCenter Server (SSO) is not observing the trust.

Author

Commented:
Andrew, I was looking at this article:
http://wahlnetwork.com/2013/09/09/using-active-directory-integrated-windows-authentication-sso-5-5/
which looks like the author was able to add multiple domains without using LDAP?

Author

Commented:
I apologize for the links, but this one looks like the author is using 'Active Directory as an LDAP server"
http://www.virten.net/2015/02/how-to-add-ad-authentication-in-vcenter-6-0-platform-service-controller/
Is it possible to use this in addition to the Active Driectory method?
Regardless, it looks like I will still need to configure LDAP on the DC in Domain A correct?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
well if he did, it's not supported, because LDAP is the only method to add two!

I'm not sure I see two different domains in the link.

anyway not supported.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Yes, you will need to configure LDS on both domains!

Author

Commented:
Hi Andrew, I may have made some progress.
I removed vcenter from domain b, rebooted, joined vcenter to domainb, rebooted. Then added the domainb.local as an identity source with computer account. Now when I go to Administration -> users and groups I now have domaina AND domainb in the dropdown.
If I go to global administration -> global permissions -> + -> Add I do have domainb in the dropdown, and the users populate. I also have domaina.local in the dropdown now, but when I click it the users do not populate and in the bottom lefthand corner of web GUI I get the error "cannot load the users for the selected domain"
Progress?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
if you have both domains available, then vCenter is querying the domains, and the trust.

this user you are logged in with does have permissions to read both domains ?

Author

Commented:
I'm not sure how to provide permission to a user on domainB to "read domains" on domainA. Is that in AD or in Vcenter?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
AD.

Can you check in your an admin in Domain A, and use the Active Directory and User/Group snap-in, you can manage users, and vice versa.

Author

Commented:
Trying to understand what you mean, so in AD for DomainA, I should be able to to open the Domain Admins group and add a user from DomainB?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
If a two way trust has been established correctly.

1. You should be able to login as a Doman Admin user from Domain A, and manage ALL Objects in Domain B.

2. You should be able to login as a Doman Admin user from Domain B, and manage ALL Objects in Domain B.

This is standard Active Directory management.

have you worked with Trusted Relatonships between domains before ?

Author

Commented:
Hi Andrew, I have worked with trusts, yes. I am having trouble understanding what you are trying to say though, when you say permission to read domains, it is not clear to me.

As it stands now, there is a two way trust between domainA and domainB.
I can log in to domainB computer with any domainA\username credentials and vice versa.
I have delegated control in AD on DomainA to administrator@domainB.local to allow all common tasks, including 'Read all user information".
I have also delegated control in DomainA for VcenterserverAdomainB.local computer account to "Read all user information"
To my knowledge, the administrator@domainB.local and the computer account of vcenter@domainb.local should have rights to read users on DomainA. I am wondering if I am missing anything?
If I log in to vcenter on domainB with username administrator@domainB.local, and navigate to global permissions, add user, the users still do not populate for domainA.

I had asked if you were suggesting adding a user from DomainB to a group such as domain admins or even domain users on Domain A, in order to have permissions to read user information but I was unclear on this. Sorry for the confusion.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
okay, I'm just trying to establish to Domain Admin Users from Domain A and Domain B that you are using can administer both domains?

nothing to do with vCenter Server, using Active Directory Users and Computers ?

yes or no ?

This is a confirmation that the trust is working ?

Using that some user logged into vCenter Server should also work.

from what you are saying it suggests, that this is working how it should but not in vCenter Server.

Author

Commented:
Ok understood. Yes, I can log in to my DC on DomainB with Administrator@domainB.local, open ADUC MMC, change domain to domainA.local, and yes I can view all OUs, users, groups, I can create, modify, and delete users.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
so - you cannot login as other domain users, or retrieve user lists ?

Author

Commented:
Andrew, I simply added the LDS role to DC on domainA, and then was able to add DomainA as an LDAP Identity Source. I can now authenticate to Vcenter on domainB using credentials from DomainA.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
That's an option.....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial