Configure external identity source for vCenter

  • Article
  • 7 minutes to read

In Azure VMware Solution, vCenter has a built-in local user called cloudadmin assigned to the CloudAdmin role. You can configure users and groups in Active Directory (AD) with the CloudAdmin role for your private cloud. In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter privileges that differ from other VMware cloud solutions and on-premises deployments.

Important

The local cloudadmin user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.

  • In a vCenter and ESXi on-premises deployment, the administrator has access to the vCenter administrator@vsphere.local account. They can also have more AD users and groups assigned.

  • In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter. The CloudAdmin role doesn't have permissions to add an identity source like on-premises LDAP or LDAPS server to vCenter. However, you can use Run commands to add an identity source and assign cloudadmin role to users and groups.

The private cloud user doesn't have access to and can't configure specific management components Microsoft supports and manages. For example, clusters, hosts, datastores, and distributed virtual switches.

Note

In Azure VMware Solution, the vsphere.local SSO domain is provided as a managed resource to support platform operations. It doesn't support the creation and management of local groups and users other than those provided by default with your private cloud.

Note

Run commands are executed one at a time in the order submitted.

In this how-to, you learn how to:

  • List all existing external identity sources integrated with vCenter SSO
  • Add Active Directory over LDAP, with or without SSL
  • Add existing AD group to cloudadmin group
  • Remove AD group from the cloudadmin role
  • Remove existing external identity sources

Prerequisites

List external identity

You'll run the Get-ExternalIdentitySources cmdlet to list all external identity sources already integrated with vCenter SSO.

  1. Sign in to the Azure portal.

  2. Select Run command > Packages > Get-ExternalIdentitySources.

    Screenshot showing how to access the run commands available.

  3. Provide the required values or change the default values, and then select Run.

    Screenshot showing how to list external identity source.

    Field Value
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, getExternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  4. Check Notifications or the Run Execution Status pane to see the progress.

Add Active Directory over LDAP with SSL

You'll run the New-AvsLDAPSIdentitySource cmdlet to add an AD over LDAP with SSL as an external identity source to use with SSO into vCenter.

  1. Download the certificate for AD authentication and upload it to an Azure Storage account as blob storage. If multiple certificates are required, upload each certificate individually.

  2. For each certificate, Grant access to Azure Storage resources using shared access signature (SAS). These SAS strings are supplied to the cmdlet as a parameter.

    Important

    Make sure to copy each SAS string, because they will no longer be available once you leave this page.

  3. Select Run command > Packages > New-AvsLDAPSIdentitySource.

  4. Provide the required values or change the default values, and then select Run.

    Field Value
    Name User-friendly name of the external identity source, for example, avslap.local.
    DomainName The FQDN of the domain.
    DomainAlias For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the AD domain as an alias of the identity source if you're using SSPI authentications.
    PrimaryUrl Primary URL of the external identity source, for example, ldap://yourserver:636.
    SecondaryURL Secondary fall-back URL if there's primary failure.
    BaseDNUsers Where to look for valid users, for example, CN=users,DC=yourserver,DC=internal. Base DN is needed to use LDAP Authentication.
    BaseDNGroups Where to look for groups, for example, CN=group1, DC=yourserver,DC= internal. Base DN is needed to use LDAP Authentication.
    Credential The username and password used for authentication with the AD source (not cloudadmin). The user must be in the username@avsldap.local format.
    CertificateSAS Path to SAS strings with the certificates for authentication to the AD source. If you're using multiple certificates, separate each SAS string with a comma. For example, pathtocert1,pathtocert2.
    GroupName Group in the external identity source that gives the cloudadmin access. For example, avs-admins.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, addexternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  5. Check Notifications or the Run Execution Status pane to see the progress.

Add Active Directory over LDAP

Note

We don't recommend this method. Instead, use the Add Active Directory over LDAP with SSL method.

You'll run the New-AvsLDAPIdentitySource cmdlet to add AD over LDAP as an external identity source to use with SSO into vCenter.

  1. Select Run command > Packages > New-AvsLDAPIdentitySource.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    Name User-friendly name of the external identity source, for example, avslap.local.
    DomainName The FQDN of the domain.
    DomainAlias For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the AD domain as an alias of the identity source if you're using SSPI authentications.
    PrimaryUrl Primary URL of the external identity source, for example, ldap://yourserver:389.
    SecondaryURL Secondary fall-back URL if there's primary failure.
    BaseDNUsers Where to look for valid users, for example, CN=users,DC=yourserver,DC=internal. Base DN is needed to use LDAP Authentication.
    BaseDNGroups Where to look for groups, for example, CN=group1, DC=yourserver,DC= internal. Base DN is needed to use LDAP Authentication.
    Credential Username and password used for authentication with the AD source (not cloudadmin).
    GroupName Group to give cloud admin access in your external identity source, for example, avs-admins.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, addexternalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

Add existing AD group to cloudadmin group

You'll run the Add-GroupToCloudAdmins cmdlet to add an existing AD group to cloudadmin group. The users in this group have privileges equal to the cloudadmin (cloudadmin@vsphere.local) role defined in vCenter SSO.

  1. Select Run command > Packages > Add-GroupToCloudAdmins.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    GroupName Name of the group to add, for example, VcAdminGroup.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, addADgroup.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

Remove AD group from the cloudadmin role

You'll run the Remove-GroupFromCloudAdmins cmdlet to remove a specified AD group from the cloudadmin role.

  1. Select Run command > Packages > Remove-GroupFromCloudAdmins.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    GroupName Name of the group to remove, for example, VcAdminGroup.
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, removeADgroup.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

Remove existing external identity sources

You'll run the Remove-ExternalIdentitySources cmdlet to remove all existing external identity sources in bulk.

  1. Select Run command > Packages > Remove-ExternalIdentitySources.

  2. Provide the required values or change the default values, and then select Run.

    Field Value
    Retain up to Retention period of the cmdlet output. The default value is 60 days.
    Specify name for execution Alphanumeric name, for example, remove_externalIdentity.
    Timeout The period after which a cmdlet exits if taking too long to finish.

  3. Check Notifications or the Run Execution Status pane to see the progress.

Next steps

Now that you've learned about how to configure LDAP and LDAPS, you can learn more about:

  • How to configure storage policy - Each VM deployed to a vSAN datastore is assigned at least one VM storage policy. You can assign a VM storage policy in an initial deployment of a VM or when you do other VM operations, such as cloning or migrating.

  • Azure VMware Solution identity concepts - Use vCenter to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. Access and identity management use the CloudAdmin role for vCenter and restricted administrator rights for NSX-T Manager.