• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 82
  • Last Modified:

vSphere 6 - AD authentication - why allowing every domain user to login?

I joined my vCenter appliance to AD, and added as an Identity source.
As soon as I do that, it allows any domain user in the forest to login.
Why is it doing that?
I thought the purpose of Access Control > Global Permissions was to control what user/group from which Identity Source is allowed to login?
In this case it seems simply adding an Identity source of AD permits anyone in that source to login...
0
garryshape
Asked:
garryshape
  • 2
  • 2
1 Solution
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if any user can login, what access do they have ?
0
 
garryshapeAuthor Commented:
It looks like most menu items are there, but no objects show up.
So if I'm in as one of these unwanted users, I click Networks, it shows 0. Same with VMs, Hosts, etc.

Just seems odd that it lets a user login though.
It looks like that's the same case in vCenter 5.5
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
That looks normal, until you assign permissions, users cannot do anything.

You need to create groups, assign user permissions so they can access any objects.
0
 
garryshapeAuthor Commented:
Yeah I guess I just see a login as its own form of "permission".    
Seems like it would be more appropriate to just give a "no authorization" type of message unless there were permissions setup within.  
I guess since this is by design, the only workaround would be to setup firewall rules if we wanted to. Oh well, I guess it's not an issue.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now