Difference between revisions of "Cool Solution - Use VMware Single Sign-On with UCS"

From Univention Wiki

Jump to: navigation, search
Line 17: Line 17:
 
During the installation of VMware vCenter on the Windows Server the following warning might appear:  
 
During the installation of VMware vCenter on the Windows Server the following warning might appear:  
  
''Warning 29155: The identity source was not identified automatically.''
+
''Warning 29155: The identity source was not identified automatically.''  
  
 
This warning can be ignored. The identity source will be added manually after the installation finished.  
 
This warning can be ignored. The identity source will be added manually after the installation finished.  
Line 25: Line 25:
 
Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).<br>Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.  
 
Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).<br>Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.  
  
[[Image:VMware 02 open VMware vSphere WebClient.png|VMware vSphere Web Client]]<br>  
+
[[Image:VMware 02 open VMware vSphere WebClient.png|500px|VMware vSphere Web Client]]<br>  
  
'''Note:''' You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.
+
'''Note:''' You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.  
  
 
Go to ''Administration'' → ''Sign-On and Discovery'' → ''Configuration'' → ''Identity Sources'' and add a new "Identity Source" (+).  
 
Go to ''Administration'' → ''Sign-On and Discovery'' → ''Configuration'' → ''Identity Sources'' and add a new "Identity Source" (+).  
Line 33: Line 33:
 
<br>  
 
<br>  
  
[[Image:VMware 03 WebClient Administration.png|Administration]]&nbsp; &nbsp; &nbsp;[[Image:VMware 04 WebClient Add Identity Source.png|Add Identity Source]]&nbsp; &nbsp; &nbsp;<br>  
+
[[Image:VMware 03 WebClient Administration.png|300px|Administration]]&nbsp; &nbsp; &nbsp;[[Image:VMware 04 WebClient Add Identity Source.png|300px|Add Identity Source]]&nbsp; &nbsp; &nbsp;<br>  
  
 
<br>  
 
<br>  
Line 50: Line 50:
 
<br>  
 
<br>  
  
[[Image:VMware 05 WebClient Edit Identity Source.png|Identity Source configuration]]  
+
[[Image:VMware 05 WebClient Edit Identity Source.png|500px|Identity Source configuration]]  
  
 
<br>  
 
<br>  
Line 56: Line 56:
 
Change to ''Administration'' → ''Access'' → ''SSO Users and Groups'' → Open ''Groups'' → Add a new group (e.g. ''VMware Domain Admins'') → Select this group and click ''Add Principals''  
 
Change to ''Administration'' → ''Access'' → ''SSO Users and Groups'' → Open ''Groups'' → Add a new group (e.g. ''VMware Domain Admins'') → Select this group and click ''Add Principals''  
  
[[Image:VMware 06 WebClient Add Group.png|Add group]]&nbsp; &nbsp; &nbsp;[[Image:VMware 07 WebClient New Group.png|Configure group]]&nbsp; &nbsp; &nbsp;[[Image:VMware 08 WebClient Add Principals.png|Add principals]]  
+
[[Image:VMware 06 WebClient Add Group.png|300px|Add group]]&nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;[[Image:VMware 08 WebClient Add Principals.png|400px|Add principals]]  
  
 
<br> &nbsp;A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. ''Domain Admins''), then click ''Add'' and ''OK''.  
 
<br> &nbsp;A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. ''Domain Admins''), then click ''Add'' and ''OK''.  
  
[[Image:VMware 09 WebClient Edit Principals.png|Principals]]  
+
[[Image:VMware 09 WebClient Edit Principals.png|500px|Principals]]  
  
 
<br>  
 
<br>  
Line 73: Line 73:
 
While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".  
 
While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".  
  
[[Image:VMware 99 VMware vSphere Client.png|VMware vSphere Client]]  
+
[[Image:VMware 99 VMware vSphere Client.png|400px|VMware vSphere Client]]  
  
<br>  
+
<br> '''Note''': If a user password is changed or the user is disabled/deleted in your LDAP, this will '''not''' affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.  
'''Note''': If a user password is changed or the user is disabled/deleted in your LDAP, this will '''not''' affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.
 
  
 
'''Note''': Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → ''your vCenter server'' → ''Manage'' → ''Permissions'' → ''Add permission''. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.
 
'''Note''': Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → ''your vCenter server'' → ''Manage'' → ''Permissions'' → ''Add permission''. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.

Revision as of 11:27, 22 March 2013

Note: This article is not yet reviewed.

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Produktlogo UCS Version 3.1

Introduction

VMware vSphere 5.1 provides Single Sign-On throughout a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 3.1 / Samba 4 instead of Microsoft Active Directory.

Prerequisites

Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:

  • 1 UCS 3.1 Domain Controller Master with Samba 4
  • 1 Windows Server, member of the UCS 3.1/Samba 4 domain with the following VMware vSphere 5.1 components installed:
            VMware vCenter Single Sign On
            VMware vCenter Inventory Service
            VMware vCenter Server
            VMware vSphere Client
            VMware vSphere Web Client
  • 1 VMware ESXi Hypervisor Host [optional, but reasonable]

Known Issues

During the installation of VMware vCenter on the Windows Server the following warning might appear:

Warning 29155: The identity source was not identified automatically.

This warning can be ignored. The identity source will be added manually after the installation finished.

Configuration of VMware vCenter Single Sign-On

Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).
Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.

VMware vSphere Web Client

Note: You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.

Go to AdministrationSign-On and DiscoveryConfigurationIdentity Sources and add a new "Identity Source" (+).


Administration     Add Identity Source     


A new window will open up. Select Active Directory and enter the desired information:

  • a name for this "Identity Source" (e.g. UCS3-SAMBA4)
  • primary ldap-URL consisting of DC Master FQDN or IP adress and LDAP-Port (e.g. ldap://ucs-master.example.com:389)
  • Optional: secondary LDAP Server, recommended when there's a DC Backup
  • Domain name (e.g. example.com)
  • Domain alias, which is the NetBIOS name of the domain (e.g. EXAMPLE)
  • Authentication Type: Password
  • Username: PrivilegedUser@example.com (domain user with right to read LDAP)
  • Password of the above user


Identity Source configuration


Change to AdministrationAccessSSO Users and Groups → Open Groups → Add a new group (e.g. VMware Domain Admins) → Select this group and click Add Principals

Add group          Add principals


 A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. Domain Admins), then click Add and OK.

Principals


The chosen users/groups are now able to log in with their credentials:

  • username@example.com
  • domain-user password


While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".

VMware vSphere Client


Note: If a user password is changed or the user is disabled/deleted in your LDAP, this will not affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.

Note: Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → your vCenter serverManagePermissionsAdd permission. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.

Personal tools