您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure AD 作为 CloudSimple 私有云上的 vCenter 的标识提供者Use Azure AD as an identity provider for vCenter on CloudSimple Private Cloud

你可以设置你的 CloudSimple 私有云 vCenter,通过 Azure Active Directory (Azure AD 适用于 VMware 管理员访问 vCenter 的) 进行身份验证。You can set up your CloudSimple Private Cloud vCenter to authenticate with Azure Active Directory (Azure AD) for your VMware administrators to access vCenter. 设置单一登录标识源后, cloudowner 用户可将用户从标识源添加到 vCenter。After the single sign-on identity source is set up, the cloudowner user can add users from the identity source to vCenter.

可以通过以下任一方式设置 Active Directory 域和域控制器:You can set up your Active Directory domain and domain controllers in any of the following ways:

  • Active Directory 在本地运行的域和域控制器Active Directory domain and domain controllers running on-premises
  • Active Directory azure 订阅中作为虚拟机在 Azure 上运行的域和域控制器Active Directory domain and domain controllers running on Azure as virtual machines in your Azure subscription
  • 新 Active Directory 在 CloudSimple 私有云中运行的域和域控制器New Active Directory domain and domain controllers running in your CloudSimple Private Cloud
  • Azure Active Directory 服务Azure Active Directory service

本指南介绍将 Azure AD 设置为标识源所需的任务。This guide explains the tasks required to set up Azure AD as an identity source. 有关使用本地 Active Directory 或 Active Directory 在 Azure 中运行的信息,请参阅 设置 vCenter 标识源以使用 Active Directory ,以获取有关设置标识源的详细说明。For information on using on-premises Active Directory or Active Directory running in Azure, refer to Set up vCenter identity sources to use Active Directory for detailed instructions in setting up the identity source.

关于 Azure ADAbout Azure AD

Azure AD 是 Microsoft 多租户、基于云的目录和标识管理服务。Azure AD is the Microsoft multi-tenant, cloud based directory and identity management service. Azure AD 提供了一个可缩放、一致和可靠的身份验证机制,使用户能够在 Azure 上进行身份验证和访问不同的服务。Azure AD provides a scalable, consistent, and reliable authentication mechanism for users to authenticate and access different services on Azure. 它还为任何第三方服务提供安全 LDAP 服务,以将 Azure AD 用作身份验证/标识源。It also provides secure LDAP services for any third-party services to use Azure AD as an authentication/identity source. Azure AD 结合了核心目录服务、高级标识监管和应用程序访问管理,可用于为管理私有云的用户提供对私有云的访问权限。Azure AD combines core directory services, advanced identity governance, and application access management, which can be used for giving access to your Private Cloud for users who administer the Private Cloud.

若要将 Azure AD 用作包含 vCenter 的标识源,必须设置 Azure AD 和 Azure AD 的域服务。To use Azure AD as an identity source with vCenter, you must set up Azure AD and Azure AD domain services. 请按照以下说明执行操作:Follow these instructions:

  1. 如何设置 Azure AD 和 Azure AD 域服务How to set up Azure AD and Azure AD domain services
  2. 如何在私有云 vCenter 上设置标识源How to set up an identity source on your Private Cloud vCenter

设置 Azure AD 和 Azure AD 域服务Set up Azure AD and Azure AD domain services

在开始之前,需要具有全局管理员权限才能访问 Azure 订阅。Before you get started, you will need access to your Azure subscription with Global Administrator privileges. 以下步骤给出了一般准则。The following steps give general guidelines. Azure 文档中包含详细信息。Details are contained in the Azure documentation.

Azure ADAzure AD

备注

如果你已有 Azure AD,则可以跳过此部分。If you already have Azure AD, you can skip this section.

  1. 根据 Azure AD 文档中所述,在订阅上设置 Azure AD。Set up Azure AD on your subscription as described in Azure AD documentation.
  2. 按照 注册 Azure Active Directory Premium中所述,在订阅上启用 Azure Active Directory Premium。Enable Azure Active Directory Premium on your subscription as described in Sign up for Azure Active Directory Premium.
  3. 设置自定义域名并验证自定义域名,如 将自定义域名添加到 Azure Active Directory中所述。Set up a custom domain name and verify the custom domain name as described in Add a custom domain name to Azure Active Directory.
    1. 使用 Azure 上提供的信息,在域注册机构中设置 DNS 记录。Set up a DNS record on your domain registrar with the information provided on Azure.
    2. 将自定义域名设置为主域。Set the custom domain name to be the primary domain.

您可以根据需要配置其他 Azure AD 功能。You can optionally configure other Azure AD features. 这不是在 Azure AD 中启用 vCenter 身份验证所必需的。These are not required for enabling vCenter authentication with Azure AD.

Azure AD 域服务Azure AD domain services

备注

这是启用 Azure AD 作为 vCenter 标识源的一个重要步骤。This is an important step for enabling Azure AD as an identity source for vCenter. 若要避免任何问题,请确保所有步骤均正确执行。To avoid any issues, ensure that all steps are performed correctly.

  1. 启用 Azure AD 域服务,如 使用 Azure 门户启用 Azure Active Directory 域服务中所述。Enable Azure AD domain services as described in Enable Azure Active Directory domain services using the Azure portal.

  2. 按照 使用 Azure 门户启用 Azure Active Directory 域服务中所述,设置 Azure AD 域服务将使用的网络。Set up the network that will be used by Azure AD domain services as described in Enable Azure Active Directory Domain Services using the Azure portal.

  3. 使用 Azure 门户启用 Azure Active Directory 域服务中所述,配置用于管理 Azure AD 域服务的管理员组。Configure Administrator Group for managing Azure AD Domain Services as described in Enable Azure Active Directory Domain Services using the Azure portal.

  4. 根据 启用 Azure Active Directory 域服务中所述,更新 Azure AD 域服务的 DNS 设置。Update DNS settings for your Azure AD Domain Services as described in Enable Azure Active Directory Domain Services. 如果要通过 Internet 连接到 AD,请将 Azure AD 域服务的公共 IP 地址的 DNS 记录设置为域名。If you want to connect to AD over the Internet, set up the DNS record for the public IP address of the Azure AD domain services to the domain name.

  5. 为用户启用密码哈希同步。Enable password hash synchronization for users. 此步骤实现了将 NT LAN Manager (NTLM) 和 Kerberos 身份验证所需的密码哈希同步 Azure AD 域服务。This step enables synchronization of password hashes required for NT LAN Manager (NTLM) and Kerberos authentication to Azure AD Domain Services. 设置密码哈希同步以后,用户即可使用其公司凭据登录到托管域。After you've set up password hash synchronization, users can sign in to the managed domain with their corporate credentials. 请参阅 启用 Azure Active Directory 域服务的密码哈希同步See Enable password hash synchronization to Azure Active Directory Domain Services.

    1. 如果存在仅限云的用户,他们必须使用 Azure AD 访问面板 更改其密码,以确保密码哈希以 NTLM 或 Kerberos 所需的格式存储。If cloud-only users are present, they must change their password using Azure AD access panel to ensure password hashes are stored in the format required by NTLM or Kerberos. 按照为 仅限云的用户帐户的托管域启用密码哈希同步中的说明进行操作。Follow instructions in Enable password hash synchronization to your managed domain for cloud-only user accounts. 必须针对单个用户和使用 Azure 门户或 Azure AD PowerShell cmdlet 在 Azure AD 目录中创建的任何新用户执行此步骤。This step must be done for individual users and any new user who is created in your Azure AD directory using the Azure portal or Azure AD PowerShell cmdlets. 需要访问 Azure AD 域服务的用户必须使用 Azure AD 访问面板 ,并访问其配置文件以更改密码。Users who require access to Azure AD domain services must use the Azure AD access panel and access their profile to change the password.

      备注

      如果组织有仅限云的用户帐户,则需要使用 Azure Active Directory 域服务的所有用户必须更改其密码。If your organization has cloud-only user accounts, all users who need to use Azure Active Directory Domain Services must change their passwords. 仅限云的用户帐户是在 Azure AD 目录中使用 Azure 门户或 Azure AD PowerShell cmdlet 创建的帐户。A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. 此类用户帐户不是从本地目录同步的。Such user accounts aren't synchronized from an on-premises directory.

    2. 如果要同步本地 Active directory 中的密码,请按照 Active Directory 文档中的步骤进行操作。If you are synchronizing passwords from your on-premises Active directory, follow the steps in the Active Directory documentation.

  6. 按照为 Azure AD 域服务托管域配置安全 ldap (LDAPS) 中所述,在 Azure Active Directory 域服务上配置安全 ldap。Configure secure LDAP on your Azure Active Directory Domain Services as described in Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain.

    1. 按 Azure 主题 获取安全 ldap 的证书中所述,上传用于安全 ldap 的证书。Upload a certificate for use by secure LDAP as described in the Azure topic obtain a certificate for secure LDAP. CloudSimple 建议使用证书颁发机构颁发的签名证书,以确保 vCenter 可以信任该证书。CloudSimple recommends using a signed certificate issued by a certificate authority to ensure that vCenter can trust the certificate.
    2. 启用安全 LDAP,如所述启用 Azure AD 域服务托管域的安全 ldap (LDAPS) Enable secure LDAP as described Enable secure LDAP (LDAPS) for an Azure AD Domain Services managed domain.
    3. 在配置标识源时,将证书的公共部分保存 (不使用) .cer 格式的私钥。Save the public part of the certificate (without the private key) in .cer format for use with vCenter while configuring the identity source.
    4. 如果需要对 Azure AD 域服务的 Internet 访问,请启用 "允许通过 internet 安全访问 LDAP" 选项。If Internet access to the Azure AD domain services is required, enable the 'Allow secure access to LDAP over internet' option.
    5. 为 TCP 端口 636 Azure AD 域服务 NSG 添加入站安全规则。Add the inbound security rule for the Azure AD Domain services NSG for TCP port 636.

在私有云 vCenter 上设置标识源Set up an identity source on your Private Cloud vCenter

  1. 提升 私有云 vCenter 的权限。Escalate privileges for your Private Cloud vCenter.

  2. 收集为标识源设置所需的配置参数。Collect the configuration parameters required for setting up of identity source.

    选项Option 说明Description
    NameName 标识源的名称。Name of the identity source.
    用户的基本 DNBase DN for users 用户的基本可分辨名称。Base distinguished name for users. 对于 Azure AD,请使用: OU=AADDC Users,DC=<domain>,DC=<domain suffix> 示例: OU=AADDC Users,DC=cloudsimplecustomer,DC=comFor Azure AD, use: OU=AADDC Users,DC=<domain>,DC=<domain suffix> Example: OU=AADDC Users,DC=cloudsimplecustomer,DC=com.
    域名Domain name 域的 FQDN,例如,example.com。FQDN of the domain, for example, example.com. 不要在此文本框中提供 IP 地址。Do not provide an IP address in this text box.
    域别名Domain alias (可选) 域 NetBIOS 名称。(optional) The domain NetBIOS name. 如果使用的是 SSPI 身份验证,请将 Active Directory 域的 NetBIOS 名称添加为标识源的别名。Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.
    组的基本 DNBase DN for groups 组的基本可分辨名称。The base distinguished name for groups. 对于 Azure AD,请使用: OU=AADDC Users,DC=<domain>,DC=<domain suffix> 示例: OU=AADDC Users,DC=cloudsimplecustomer,DC=comFor Azure AD, use: OU=AADDC Users,DC=<domain>,DC=<domain suffix> Example: OU=AADDC Users,DC=cloudsimplecustomer,DC=com
    主服务器 URLPrimary Server URL 域的主域控制器 LDAP 服务器。Primary domain controller LDAP server for the domain.

    使用格式 ldaps://hostname:portUse the format ldaps://hostname:port. 对于 LDAPS 连接,此端口通常为636。The port is typically 636 for LDAPS connections.

    ldaps://在主或辅助 LDAP URL 中使用时,需要为 Active Directory 服务器的 LDAPS 终结点建立信任的证书。A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.
    辅助服务器 URLSecondary server URL 用于故障转移的辅助域控制器 LDAP 服务器的地址。Address of a secondary domain controller LDAP server that is used for failover.
    选择证书Choose certificate 如果要将 LDAPS 用于 Active Directory LDAP 服务器或 OpenLDAP 服务器标识源,请 ldaps:// 在 "URL" 文本框中键入后显示 "选择证书" 按钮。If you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, a Choose certificate button appears after you type ldaps:// in the URL text box. 不需要辅助 URL。A secondary URL is not required.
    用户名Username 域中用户的 ID,这些用户和组的基本 DN 至少具有只读访问权限。ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
    密码Password Username 指定的用户的密码。Password of the user who is specified by Username.
  3. 升级权限后,登录到私有云 vCenter。Sign in to your Private Cloud vCenter after the privileges are escalated.

  4. 按照使用上一步骤中的值在 vCenter 上添加标识源 中的说明,将 Azure Active Directory 设置为标识源。Follow the instructions in Add an identity source on vCenter using the values from the previous step to set up Azure Active Directory as an identity source.

  5. 按照 VMware 主题 将成员添加到 Vcenter Single Sign-On 组中所述,将 Azure AD 中的用户/组添加到 vcenter 组。Add users/groups from Azure AD to vCenter groups as described in the VMware topic Add Members to a vCenter Single Sign-On Group.

注意

新用户必须仅添加到 云所有者组云全局-群集管理组、云全局 存储管理 组、云全局 网络管理 组或 云-全局-VM 管理 组的用户组。New users must be added only to Cloud-Owner-Group, Cloud-Global-Cluster-Admin-Group, Cloud-Global-Storage-Admin-Group, Cloud-Global-Network-Admin-Group or, Cloud-Global-VM-Admin-Group. 添加到 管理员 组的用户将被自动删除。Users added to Administrators group will be removed automatically. 只有服务帐户才能添加到 Administrators 组。Only service accounts must be added to Administrators group.

后续步骤Next steps