Purpose
This article provides steps to create an Active Directory (Integrated Windows Authentication) identity source using your machine account for service principal name (SPN) when you are unable to use the vSphere Web Client.
Resolution
Currently, with vCenter Single Sign-On (SSO) 5.5, there is no auto-discover feature to automatically query and add applicable identity sources from the environment. This results in the local OS (the local machine's users and groups) and the vSphere.local (the internal-domain for SSO) identity sources only being accessible. When there is an upgrade from SSO 5.1 to SSO 5.5, the earlier Active Directory identity source, if present, is converted to Active Directory as a LDAP server.
Prerequisites:
Before you proceed, ensure that:
- SSO 5.5 is installed on your machine.
- The SSO system is joined to the domain.
- You are logged in as a local administrator or root on the SSO system or vCenter Server Appliance.
- Download the one of the following files attached to this article.
- vCenter Server for Windows - 2063424_sso-add-native-ad-idp_windows.zip
- vCenter Server Appliance - 2063424_sso-add-native-ad-idp_appliance.zip
- Extract the sso-add-native-ad-idp file from one of the above downloaded zip files.
To create an Integrated Active Directory Identity Source on Windows:
- Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
- Run the following command to determine the installation drive used for vCenter Single Sign-On:
reg query "HKLM\SOFTWARE\VMware, Inc.\VMware Identity Services" /v "InstallPath"
This will output the SSO Installation directory.
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Identity Services
InstallPath REG_SZ C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ - Create a directory vdcidentitysource on the system's drive determined from Step 2. For the following example, this will be C:\ .
- Move the sso-add-native-ad-idp file to the directory c:\vdcidentitysource\.
- Run the following command to navigate to the vdcidetitysource directory:
cd c:\vdcidentitysource - Run this command:
sso-add-native-ad-idp.cmd domain_name
For example:
sso-add-native-ad-idp.cmd vmware.com
Notes:- To find the domain name to be used in the above cmdlet, run this command:
echo %userdnsdomain%
This creates an Integrated Windows Authentication identity source using your machine account as SPN.
- To find the domain name to be used in the above cmdlet, run this command:
To create an Integrated Active Directory Identity Source on vCenter Server Appliance:
- Using WinSCP (or any SCP client), connect to the vCenter Server Appliance and upload the sso-add-native-ad-idp.sh file to the /tmp/ directory.
- Connect to the vCenter Server Appliance via SSH. For more information, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance section in the vCenter Server 5.5 and Host Management Guide.
- Run this command to navigate to the /tmp/ directory:
cd /tmp/ - Run the following command to change permissions on the file:
chmod 777 sso-add-native-ad-idp.sh - Run the below command to create the Identity Source:
./sso-add-native-ad-idp.sh domain_name
For example:
./sso-add-native-ad-idp.sh vmware.com
Notes:- To find the domain name to be used in the above cmdlet, run this command:
vpxd_servicecfg ad read | grep DOMAIN
This creates an Integrated Windows Authentication identity source using your machine account as SPN.
- To find the domain name to be used in the above cmdlet, run this command:
After completing the preceding procedure, log in to vCenter Server with the Administrator@vSphere.local account and verify if you are able to add users.
Source KB
No comments:
Post a Comment