Data Center Virtualization Certification:VCP6.5-DCV Exam Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Configure/manage identity sources

Consider the topic described in Objective 1.1; in this section, we will consider the AD case.

To assign vCenter permissions to AD users or groups, you must first join the PSC to the AD domain. This allows the AD users to log in to the vCenter Server using the Windows session authentication (SSPI).

The procedure to join the vCenter Server to an AD domain depends on how the vCenter and the PSC have been deployed:

  • Embedded PSC: Join the vCenter to the AD domain
  • External PSC: Join the PSC to the AD domain
Only a writable Domain Controller can be used to join the AD domain. A  Read-Only Domain Controller ( RODC) is not supported. 

For Windows-based vCenter or PSC, just join the Windows machine to the AD domain.

For VCSA, to join the PSC or the vCenter to the AD, follow this procedure:

  1. From the vSphere Web Client, log in with the right SSO admin account.
  2. Select Home | Administrator | Deployment | System Configuration and choose the proper node (the PSC or the vCenter, depending on the deployment).
  3. In the Manage tab, select the Advanced | Active Directory menu, then click on the Join button to enter the details to join the AD.
  4. Enter the Domain to join, and optionally the Organizational unit. Specify the AD username in UPN format (username@domain.com), with the privileges to join the PSC to the domain.
  5. After the process has completed, the joined domain will be listed in the Domain field, and a new Leave... button will be displayed:
Figure 1.24: AD membership
  1. You need to reboot the node to enable the changes. 
  2. When the node has been rebooted, navigate to Configuration | Identity Sources to add the AD domain. Click Add to open the Add Identity Source wizard
  1. Select the Active Directory (Integrated Windows Authentication) option, and enter the joined FQDN domain name, if it's not displayed automatically.
  2. Select the Use machine account option to use the local machine account as the SPN. If you expect to rename the machine, don't use this option, because it will break the authentication process. Click on OK to confirm the specified AD domain as the new identity source.
  3. On the Identity Sources tab, the joined AD domain is now displayed. Now, you can assign permissions to users/groups to be members of the AD domain.
To prevent authentication conflicts, don't use a username that is used by other identity sources, such as OpenLDAP or Microsoft AD.
上一章目录下一章