您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

设置要使用的 vCenter 标识源 Active DirectorySet up vCenter identity sources to use Active Directory

关于 VMware vCenter 标识源About VMware vCenter identity sources

VMware vCenter 支持用于身份验证的不同标识源,以便对访问 vCenter 的用户进行身份验证。VMware vCenter supports different identity sources for authentication of users who access vCenter. 你的 CloudSimple 私有云 vCenter 可以设置为使用 Active Directory 进行身份验证,以便 VMware 管理员可以访问 vCenter。Your CloudSimple Private Cloud vCenter can be set up to authenticate with Active Directory for your VMware administrators to access vCenter. 安装完成后, cloudowner 用户可以将标识源中的用户添加到 vCenter。When the setup is complete, the cloudowner user can add users from the identity source to vCenter.

可以通过以下任一方式设置 Active Directory 域和域控制器:You can set up your Active Directory domain and domain controllers in any of the following ways:

  • Active Directory 在本地运行的域和域控制器Active Directory domain and domain controllers running on-premises
  • Active Directory azure 订阅中作为虚拟机在 Azure 上运行的域和域控制器Active Directory domain and domain controllers running on Azure as virtual machines in your Azure subscription
  • 新 Active Directory 在私有云中运行的域和域控制器New Active Directory domain and domain controllers running in your Private Cloud
  • Azure Active Directory 服务Azure Active Directory service

本指南介绍了设置 Active Directory 域和域控制器的任务,这些任务在本地或作为订阅中的虚拟机运行。This guide explains the tasks to set up Active Directory domain and domain controllers running either on-premises or as virtual machines in your subscriptions. 如果要使用 Azure AD 作为标识源,请参阅 在 CloudSimple 私有云上使用 Azure AD 作为 vCenter 的标识提供者 ,以获取有关设置标识源的详细说明。If you would like to use Azure AD as the identity source, refer to Use Azure AD as an identity provider for vCenter on CloudSimple Private Cloud for detailed instructions in setting up the identity source.

添加标识源之前,临时 升级 vCenter 权限Before adding an identity source, temporarily escalate your vCenter privileges.

注意

新用户必须仅添加到 云所有者组云全局-群集管理组、云全局 存储管理 组、云全局 网络管理 组或 云-全局-VM 管理 组的用户组。New users must be added only to Cloud-Owner-Group, Cloud-Global-Cluster-Admin-Group, Cloud-Global-Storage-Admin-Group, Cloud-Global-Network-Admin-Group or, Cloud-Global-VM-Admin-Group. 添加到 管理员 组的用户将被自动删除。Users added to Administrators group will be removed automatically. 只有服务帐户必须添加到 Administrators 组,并且服务帐户不得用于登录 VSPHERE web UI。Only service accounts must be added to Administrators group and service accounts must not be used to sign in to vSphere web UI.

标识源选项Identity source options

重要

不支持 (Windows 集成身份验证) Active Directory。Active Directory (Windows Integrated Authentication) is not supported. 仅支持 Active Directory over LDAP 选项作为标识源。Only Active Directory over LDAP option is supported as an identity source.

作为单个 Sign-On 标识源添加本地 Active DirectoryAdd On-Premises Active Directory as a Single Sign-On Identity Source

若要将本地 Active Directory 设置为单个 Sign-On 标识源,需要:To set up your on-premises Active Directory as a Single Sign-On identity source, you need:

  • 从本地数据中心到私有云的站点到站点 VPN 连接Site-to-Site VPN connection from your on-premises datacenter to your Private Cloud.
  • 将本地 DNS 服务器 IP 添加到 vCenter 和平台服务控制器 (PSC) 。On-premises DNS server IP added to vCenter and Platform Services Controller (PSC).

设置 Active Directory 域时,请使用下表中的信息。Use the information in the following table when setting up your Active Directory domain.

选项Option 说明Description
NameName 标识源的名称。Name of the identity source.
用户的基本 DNBase DN for users 用户的基本可分辨名称。Base distinguished name for users.
域名Domain name 域的 FQDN,例如,example.com。FQDN of the domain, for example, example.com. 不要在此文本框中提供 IP 地址。Do not provide an IP address in this text box.
域别名Domain alias 域 NetBIOS 名称。The domain NetBIOS name. 如果使用的是 SSPI 身份验证,请将 Active Directory 域的 NetBIOS 名称添加为标识源的别名。Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.
组的基本 DNBase DN for groups 组的基本可分辨名称。The base distinguished name for groups.
主服务器 URLPrimary Server URL 域的主域控制器 LDAP 服务器。Primary domain controller LDAP server for the domain.

使用格式 ldap://hostname:portldaps://hostname:portUse the format ldap://hostname:port or ldaps://hostname:port. 端口通常为389,适用于 LDAP 连接,636用于 LDAPS 连接。The port is typically 389 for LDAP connections and 636 for LDAPS connections. 对于 Active Directory 多域控制器部署,端口通常为3268,适用于 LDAP,3269用于 LDAPS。For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.

ldaps://在主或辅助 LDAP URL 中使用时,需要为 Active Directory 服务器的 LDAPS 终结点建立信任的证书。A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.
辅助服务器 URLSecondary server URL 用于故障转移的辅助域控制器 LDAP 服务器的地址。Address of a secondary domain controller LDAP server that is used for failover.
选择证书Choose certificate 如果要将 LDAPS 用于 Active Directory LDAP 服务器或 OpenLDAP 服务器标识源,请 ldaps:// 在 "URL" 文本框中键入后显示 "选择证书" 按钮。If you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, a Choose certificate button appears after you type ldaps:// in the URL text box. 不需要辅助 URL。A secondary URL is not required.
用户名Username 域中用户的 ID,这些用户和组的基本 DN 至少具有只读访问权限。ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
密码Password Username 指定的用户的密码。Password of the user who is specified by Username.

当你具有上表中的信息时,可以将本地 Active Directory 作为 vCenter 上的单个 Sign-On 标识源添加。When you have the information in the previous table, you can add your on-premises Active Directory as a Single Sign-On identity source on vCenter.

提示

你将在 VMware 文档页上找到有关单个 Sign-On 标识源的详细信息。You'll find more information on Single Sign-On identity sources on the VMware documentation page.

在私有云上设置新 Active DirectorySet Up new Active Directory on a Private Cloud

你可以在私有云上设置新的 Active Directory 域,并将其用作单一登录的标识源。You can set up a new Active Directory domain on your Private Cloud and use it as an identity source for Single Sign-On. Active Directory 域可以是现有 Active Directory 林的一部分,也可以设置为独立的林。The Active Directory domain can be a part of an existing Active Directory forest or can be set up as an independent forest.

新建 Active Directory 林和域New Active Directory forest and domain

若要设置新的 Active Directory 林和域,需要:To set up a new Active Directory forest and domain, you need:

  • 运行 Microsoft Windows Server 的一个或多个虚拟机用作新 Active Directory 林和域的域控制器。One or more virtual machines running Microsoft Windows Server to use as domain controllers for the new Active Directory forest and domain.
  • 一个或多个运行 DNS 服务的虚拟机以进行名称解析。One or more virtual machines running DNS service for name resolution.

请参阅 安装新的 Windows Server 2012 Active Directory 林 获取详细步骤。See Install a New Windows Server 2012 Active Directory Forest for detailed steps.

提示

为实现服务的高可用性,我们建议设置多个域控制器和 DNS 服务器。For high availability of services, we recommend setting up multiple domain controllers and DNS servers.

设置 Active Directory 林和域后,可以 在 vCenter 上为新 Active Directory 添加标识源After setting up the Active Directory forest and domain, you can add an identity source on vCenter for your new Active Directory.

现有 Active Directory 林中的新 Active Directory 域New Active Directory domain in an existing Active Directory forest

若要在现有 Active Directory 林中设置新的 Active Directory 域,需要:To set up a new Active Directory domain in an existing Active Directory forest, you need:

  • 到 Active Directory 林位置的站点到站点 VPN 连接。Site-to-Site VPN connection to your Active Directory forest location.
  • 用于解析现有 Active Directory 林的名称的 DNS 服务器。DNS Server to resolve the name of your existing Active Directory forest.

有关详细步骤,请参阅 安装新的 Windows Server 2012 Active Directory 子域或树域See Install a new Windows Server 2012 Active Directory child or tree domain for detailed steps.

设置 Active Directory 域后,可以 在 vCenter 上为新 Active Directory 添加标识源After setting up the Active Directory domain, you can add an identity source on vCenter for your new Active Directory.

在 Azure 上设置 Active DirectorySet up Active Directory on Azure

在 Azure 上运行 Active Directory 类似于在本地运行 Active Directory。Active Directory running on Azure is similar to Active Directory running on-premises. 若要将在 Azure 上运行的 Active Directory 设置为 vCenter 上单个 Sign-On 标识源,vCenter 服务器和 PSC 必须与运行 Active Directory 服务的 Azure 虚拟网络建立网络连接。To set up Active Directory running on Azure as a Single Sign-On identity source on vCenter, the vCenter server and PSC must have network connectivity to the Azure Virtual Network where Active Directory services are running. 可以使用 Azure 虚拟网络连接 ,从运行 Active Directory 服务的 azure 虚拟网络连接到 CloudSimple 私有云,从而建立此连接。You can establish this connectivity using Azure Virtual Network Connection using ExpressRoute from the Azure virtual network where Active Directory Services are running to CloudSimple Private Cloud.

建立网络连接后,请按照 将本地 Active Directory 添加为单个 Sign-On 标识源 中的步骤将其添加为标识源。After the network connection is established, follow the steps in Add On-Premises Active Directory as a Single Sign-On Identity Source to add it as an Identity Source.

在 vCenter 上添加标识源Add an identity source on vCenter

  1. 提升 私有云上的权限。Escalate privileges on your Private Cloud.

  2. 登录到你的私有云的 vCenter。Sign in to the vCenter for your Private Cloud.

  3. 选择 " 家庭 > 管理"。Select Home > Administration.

    管理

  4. 选择 " 单一登录 > 配置"Select Single Sign On > Configuration.

    单一登录

  5. 打开 " 标识源 " 选项卡,然后单击 " + 添加新的标识源"。Open the Identity Sources tab and click + to add a new identity source.

    标识源

  6. 选择 Active Directory 作为 LDAP 服务器 ,然后单击 " 下一步"。Select Active Directory as an LDAP Server and click Next.

    突出显示 Active Directory 作为 LDAP 服务器选项的屏幕截图。

  7. 为你的环境指定标识源参数,然后单击 " 下一步"。Specify the identity source parameters for your environment and click Next.

    Active Directory

  8. 检查设置,并单击“完成”。Review the settings and click Finish.