VMware Infrastructure empowers businesses of all sizes and environments to move beyond traditional IT infrastructure boundaries and build a responsive data center that's dynamic, efficient and available. Learn to operate & maintain VMware vSphere 6.5 from a real-world perspective.
Learn more about:
- About the Netcom VMware vSphere Boot Camp
- Two different ways to integrate vSphere with Active Directory - Best Practices: Join Domain vs. AD LDAP
- Adding an AD Identity Source to vCenter 6.5
- Creating a Default vSphere Permission for users in an AD Group
5. Agenda
• Introductions
• About the VMware vSphere 6.5 Boot Camp
• Active Directory for vCenter 6.5
• The evolution of vCenter and Directory-based authentication
• What is VMware vCenter SSO?
• Two ways to integrate vCenter SSO with Active Directory
• Method one: Integrating vCenter with AD using the Machine Account
• Method two: Integrating vCenter with AD using LDAP
6. VMware vSphere 6.5 Boot Camp
Practical VMware Training
• What you need to know to use vSphere
• Current materials
• Real World Best Practices
7. Our Practical vSphere Boot Camp is like no other
• You have your own enterprise-grade VDI for access
• You work live, with your own ESXi Host and vCenter Server
• You get your own LUN/Volume on an Enterprise SAN
• You have 24X7 Access to your lab environment
• Your instructor can see your VDI and help you 1-on-1 during class
• Boot Camp Class
• 6/19/17 – 6/23/17 Las Vegas
8. Real-world lab steps
• These methods are taken directly from methods we learn as
consultants in Real-World situations
• Every participant in the Boot Camp will have the opportunity to fully
participate using their own vCenter!
9. VMware vSphere 6.5 SSO
The evolution of directory-based authentication for VMware vCenter
10. VMware vCenter 5 and before
• VMware vCenter 5 and prior versions were always a subset of a single
Active Directory domain
• Active Directory was required to install vCenter
• vCenter Server was a Windows-only service
• Domain Admins of the AD domain were always vSphere Administrators by
default!
11. vCenter in the age of Cloud Computing
• vCenter 5.5 and later versions have their own directory called vCenter
SSO
• Based on MIT Kerberos (same as AD)
• Full configurable as a standalone directory with Users and Groups
• Password aging and complexity configuration possible
• Smart Card and two-factor configuration possible
12. Advantages of vCenter SSO
• AD is no longer required to install vCenter
• The main requirement for SSO is functioning forward and reverse DNS
• VMware vCenter now a potential superset of many AD Domains
• Can add multiple Active Directory Domains and LDAP directories
• External directories are used as Identity Sources
• External directories remain completely independent
• Domain Admins no longer receive vCenter Administrator permission
by default
• Only one SSO administrator is created during installation
• You add other users and Identity sources at your discretion.
14. Method 1: Using the Machine Account
• Possible with both Windows vCenter and VCSA Appliance (Linux)
• Host Operating System must be joined to the domain
• Creates a dependency between the Host Operating System where
vCenter runs and the AD Domain
15. Method 1: Using the Machine Account
• Join the Domain
1. In the Navigator bar on the left side of the screen, click on Administration.
16. Using the Machine Account with SSO
2. Now click on System Configuration
24. Method 2: Using Active Directory LDAP
• Possible with both Windows vCenter and VCSA Appliance (Linux)
• Host Operating System does not need to be joined to the domain
• Does not create a dependency between the Host Operating System
where vCenter runs and the Domain
• All LDAP Identity sources remain completely independent
• Many fewer steps overall
25. Method 2: Using Active Directory LDAP
1. In the Web-Client, click on Home and then on Administration
26. Using Active Directory as an LDAP Server
2. Now click on Configuration and then on Identity Sources
a. Click the +
32. SSO Global Permissions
2. It’s now possible to add Users/Groups/OUs from the Domain(s)
configured
a. Choose the AD Domain/LDAP Directory
b. Locate the User/Group
c. Click Add
d. Click OK
33. SSO Global Permissions
3. And assign any/all desired Roles
a. Select the Role (Administrator)
b. Click Add
c. Click OK
34. vCenter SSO
• No matter if it is a Windows vCenter, VCSA, Domain-joined or LDAP
• You can now log in with directory credentials
• BEST PRACTICE: Do not “Use Windows Session authentication”
• BEST PRACTICE: Enter username in UPN format: user@domain.tld
35. Upcoming vSphere Classes Webinars
• Webinars
• Boot Camp Class
• 6/19/17 – 6/23/17 Las Vegas
• 8/14/17 – 8/18/17 New York
36. Watch the Live Demonstration
Watch the recorded webinar here!
37. Recommended Courses
NetCom Learning offers a comprehensive portfolio for VMware vSphere training
options. Please see below the list of recommended courses:
VMsources VMware vSphere 6.5 Infrastructure Deployment Prep Boot
Camp
Check out more VMware vSphere training options with NetCom Learning –
CLICK HERE
38. Our live webinars will help you to touch base a wide variety of IT, soft skills and
business productivity topics; and keep you up to date on the latest IT industry trends.
Register now for our upcoming webinars:
Raise your defenses against Malware & Ransomware attacks – May 8
Understanding the Windows Server Administration Fundamentals (Part-1) – June 13
Microsoft Word Power Shortcuts & Tips (Part-2) – June 15
Your Quick Guide to PMP Certification and Examination – June 20
Understanding the Windows Server Administration Fundamentals (Part-1) – June 27
39. Special Promotion
Whether you're learning new IT or Business skills, or you are developing a learning plan for
your team, now you can register for our Guaranteed to Run classes with confidence.
From Microsoft, to CompTIA, to CISSP; all classes delivered by top-notch instructors in in-
person Instructor-led Classroom or Live Online.
Learn more»
40. Special Promotion
Is the internet secure? It becomes a matter of deep introspection whether the internet
remains a safe place for us with all our personal and official data on it.
Take a proactive stance on security. It is time to wake up and begin preparing a defense for
the future. Acquire the skillset, become certified cybersecurity professional.
Learn more»
41. Special Promotion
Trial Version & 10% First Time User discount on Soft Skills
E-Learning Courses
(Limited Period Offer, Register NOW)
Log onto www.sarderlearning.com
Coupon Code: SARDER10
42. 3500+ BYTE SIZE
VIDEOS
200+
MENTORS
100+ COURSES
Leadership focused programs across
Functions, Management levels, &
Industries
Business Productivity programs enabling
professionals master the latest concepts
Soft skills programs ensuring the basics
of management success
Best selling books focused programs
covering all aspects of professional &
personal lives
Premium programs such as Board-Series
www.sarderlearning.com
Course Categories
Anywhere Anytime Learning across
Devices & Operating Systems
43. Media Platform with a blend of Charlie
Rose & TED
Headquartered in New York, the platform
publishes Exclusive High Quality Video
Content from Fortune 1000 Corporate
Leaders, Best Selling Authors & Ivy League
Professors
With a purpose to "Promote Learning", the
Platform is based on the Core values of
Continuous Learning, Innovation &
Performance.
Get the latest insights on Management,
Strategy, Marketing, Sales, Innovation and
Entrepreneurship.
www.sardertv.com
To get the latest insights on the Business World
44. To get latest technology updates, please follow our social media pages!
45.
46. THANK YOU !!!
We manage learning.
“Building an Innovative Learning Organization. A Framework to Build a
Smarter Workforce, Adapt to Change, and Drive Growth”. Download now!
Editor's Notes
Welcome to Netcom Learning’s VMware vSphere Webinar series
Today we’re going to introduce ourselves, then tell you just a little bit about our VMware vSphere Boot Camp
And then jump right into the topic: Active Directory for VMware vSphere
First, we’ll explain what VMware vCenter SSO is
Then we will show you two ways to integrate your vCenter with Active Directory
Our practical, real-world VMware training is designed specifically to teach what you need to know to install, run, maintain and update VMware vSphere.
Our Boot Camp materials are current to the most recent release of VMware vSphere and always have an emphasis on Best Practices and Real world techniques.
In class we teach you how to use, manage and diagnose VMware vSphere as a whole and do not fixate on the most expensive options and features available to only a percentage of users.
During class, each student has access to real (physical) servers in a real data center, where you will build your own VMware vSphere environment.
At every stage of the process, you will be working live, with equipment specifically assigned to you for the duration of class.
You’ll have 24 by 7 access to your resources in the class lab, and you can request up to two additional weeks of access to your lab at NO EXTRA COST!
Bottom line is: If you need to improve your skills with VMware vSphere, there’s no better choice than the Netcom VMware vSphere Boot Camp!
The procedures and methods we are going to go over in this webinar were taken right from our experience as active consultants.
In class, you will have the opportunity to explore both methods of using AD with vCenter, using your own vCenter Server!
VMware vCenter 5 and prior versions were Windows-only applications that required Active Directory to install.
Domain Admins of the AD Domain where vCenter was installed, became vCenter Administrators by default.
As you can imagine, in larger organizations with multiple “silos,” AD administrators may not be qualified on VMware and VMware admins may not be authorized for AD administration.
VMware vCenter SSO was actually introduced with version 5.1, but it was a non-functional mess with plaintext passwords and complex installation requiring manual creation of database tables in SQL!
Beginning with vCenter 5.5, VMware vCenter SSO became fully-functional as an independent implementation of MIT Kerberos.
In SSO, it is possible to create Users and Groups, just like any other directory.
It’s also possible to configure aging, password complexity, and two-factor authentication to be compliant with most any standards such as SSAE 16 and ISO 27001
One of the notable advantages of vCenter 5.5 and later versions is that Active Directory is no longer required as a prerequisite for installation, only functioning forward and reverse DNS.
This means non-Windows shops no longer have to keep one or two licensed editions of Windows Server just to run vSphere!
The biggest advantage is that VMware vCenter Server is no longer a subset of a single AD Domain, but potentially a superset of many AD Domains, all authenticating against vCenter SSO independently.
Moreover, the VMware vCenter SSO administrator is created at the time of installation (administrator@vsphere.local or other TLD you create), and is the ONLY default vCenter administrator.
In larger organizations, this is very important, because Domain Administrators not qualified on VMware, will not be granted default access.
The most common, yet disadvantageous, method of integrating VMware vCenter SSO and AD is by using the Machine Account of the vCenter Server.
This means, joining either the Windows OS or the SUSE Linux OS to the AD Domain where it is hosted.
Joining a Windows server to a Domain is common-practice. Joining the VCSA to a Domain is easy and done entirely in the GUI. Both require a reboot.
The problem is that this creates a potential “chicken-and-egg” dependency between the AD Domain and the Operating System where vCenter Server is hosted.
You wouldn’t want to encounter a situation where AD had failed and you couldn’t access vCenter to recover it!
To join the VCSA to an AD Domain, click on: Administration
Then click on: System Configuration
Click on: Nodes
Then locate your vCenter node. Most likely, it will be the only choice.
Enter credentials authorized to join the AD Domain, preferably in UPN format
And reboot your VCSA
After the system has rebooted, choose: Configuration
Then click the tab: Identity Sources
Now choose: Active Directory (Integrated Windows Authentication), followed by: Finish
Your vCenter and Active Directory are now integrated, but we have yet to create a default permission
The best way to integrate vCenter SSO with Active Directory (or any directory) is to use LDAP / LDAPs
In this way, vCenter becomes a client of the directory(ies) that need to authenticate against vCenter
No dependencies are created, and vCenter can run entirely independently of any domain
Click on: Administration
Choose: Configuration then click the tab: Identity Sources
Now choose: Active Directory as an LDAP Server
Enter all of the information in LDAP format, as we show you in the screenshot. If DNS is working correctly, you will not need to pprovide the address of a specific LDAP Server.
Your vCenter is now integrated with one AD Domain. You can add more if required or desirable simply by repeating the process.
To use Active Directory, however, we must create a default permission.
Once the connection between vCenter and AD is established, no matter how it is created, the steps to create the first Global Permission allowing users of that directory to manage vCenter is the same.
Click on: Global Permissions
Then choose the tab: Manage
And finally, click on the: +
Now you can choose the AD Domain
Followed by searching or browsing for the user/group you would like to add
Then click on: Add
And finally: OK
Once the Directory user is added, you chose the Role, which will allow the user limited ot total access to the vCenter Server
In class, we go over how to create and use Roles in detail, to delegate authority to Silos such as “desktop support” or “Linux”, as well as create completely independent multi-tennancy environments.
Now you are ready to use your directory!
We recommend to never “Use Windows Session Credentials” as it requires the “Client Integration Plugin” to the browser, which has had numerous documented vulnerabilities
We recommend using UPN format usernames wherever possible, in vSphere and in general IP practice.
Don’t Forget, we have a Boot Camp in just TWO Weeks in Las Vegas,
Followed by a class on August 14 in New York City
Further, if your interested in “Learning from the Top American Leaders”, please logon to the e-learning platform - www.sarderlearning.com. Avail the special promotion meant for FIRST TIME USERS. Use your coupon code – SARDER10 and begin your leadership journey. Now!!
Sarder Learning is a micro-learning knowledge platform that brings the world’s best Fortune 500 companies CXOs, Ivy League professors and best selling authors together to share industry –wide best practices related to leadership & management. Sarder Learning under 13 different categories has a rapidly growing course library relevant across multiple domains with well defined specific learning paths and scenario –based learning. An intuitive and responsive learning management system environment makes it easy to track one’s learning journey take courses at convinence
To get your dose of Latest Business Insights FROM Corporate America, logonto Sardertv.com. Don’t forget to register for our newsletter.
I’d like to thank the team members that were part of this webinar:
Swedha
Sarah
Gaurav
Ben
Ankuna
vashali
&special thanks to Chief Engineer Mina Henery from IBM Germany for his valuable support