Cloud Lab-15: How to Build a vSphere Environment – “vCenter User Management and Identity Source”

Before start building our cloud environment on the basis of  our previous Lab posts. lets quick recall what we have covered yet.

Install Active Directory and DHCP Server
Install CA and NTP Server
Install Syslog Server
Install SQL Server and Virtual SAN (openfiler)
Install Management Server
Install Management, RG vCenters and ESXi Servers
Configure Maintenance Schedule for vCenter DBs
Install Singed Certificate for vCenter and ESXi From Microsoft CA

Now Lets move and start building our cloud environment. 

LAB-15 TASKS

In this Lab we will perform following tasks

  1. Active Directory Environment configuration for vCenter Rights.
  2. VCenter Basic Configuration.
  3. Configure VCenter Identity Source (domain).
  4. Add another SSO Administrator in vCenter
  5. Assign VCenter Permissions/Roles

1-Active Directory Environment configuration for VCenter Rights

Now we have installed vCenter. Which will be used for management of our cloud environment.in production, there might be different admins for vCloud and vsphere.so you have to give them access accordingly. In my lab I give you tour, how you will create this type of structure.

Login to your active directory server (cloud-ad.vmlab.com).go to “administrative tools-> active directory user and computer” or type “dsa.msc” on your command prompt.

In this demo I am going to create some basic structure (users/groups) for vCenter environment and give them permission accordingly. Ok let start.

First of all, I am going to create an OU (Container). So we can easily separate our user/group structure.

Right click on the Active Directory root (vmlab.com) -> new-> organization unit.

cloudlab15-ADbasesetupforcloud-1

Give the OU a name, in my case I am using (cloud-Mgmt). You can choose as you like.

Next step is to create some users/groups in this OU. first, I am going to create a vCenter admin user. Right click OU->New-> User

cloudlab15-ADbasesetupforcloud-4

Provide the user information, in my case user name is “VC.admin@vmlab.com”-> click “Next”

cloudlab15-ADbasesetupforcloud-5

Set the password for user and set it to “Password Never expires”. In production this might not be a good choice -> Click “Next” and your “vc.admin” user is created

*NOTE: Repeat the same steps for other users, if you have multiple admins in your domain*

Now create a “vCenter admin” group. Which contains all our admin users. It is always a good practice and easy to give access to a group rather than single user basis. Until/unless you have a special use case.

Right Click Cloud-Mgmt OU-> new-> Group

cloudlab15-ADbasesetupforcloud-6

Provide a group name. In my case I am using “vCenterAdmins”.  Click “OK”

cloudlab15-ADbasesetupforcloud-7

Now add users to this group.in my case, I am going to add vc.admin@vmlab.com user which I have created earlier.

Double click on Group -> Member -> Add -> Enter name of the user -> click “OK” twice.

cloudlab15-ADbasesetupforcloud-8

*NOTE: Repeat the same steps for other cloud admin users*

Here is final structure Look and feel (you can define according to your use case)

cloudlab15-ADbasesetupforcloud-9

Enough with AD side. Now let’s move to “vCenter web client” and give permission to these users/groups.

2-vCenter Basic Configuration

Open the web client, in my case  (https://vc-rg.vmlab.com:9443/vsphere-client).

You probability wondering why I choose web client inserted of old classic vSphere client.it is because of two reasons.

  1. You can only add SSO administrative from web client.
  2. It is future client for vSphere administration. Get used to it.

Provide the SSO Administrative user/password. Which set during installation. the default user name for SSO in vCenter 5.5 is administrator@vsphere.local

3-Configure VCenter Identity Source (domain).

Before we add any new administrator users, let’s get vCenter SSO tied in to our local LDAP. In my lab, that’s “Active Directory”.

Click on “Administration” in the left hand menu

cloudlab15-ADbasesetupforcloud-10

Navigate to vCenter Servers > Administration > single sign On->Configuration->Click “+” to add

cloudlab15-ADbasesetupforcloud-11

VMware has managed to simplify the addition of an Active Directory domain as an Identity Source by using the machine account of the vCenter SSO machine to authenticate (and it works great!)

cloudlab15-ADbasesetupforcloud-12

Configure the setting as highlighted above -> Click “OK”

cloudlab15-ADbasesetupforcloud-13

Once you’ve added your new Identity Source, add it as the “default domain”

cloudlab15-ADbasesetupforcloud-14

4-Add another SSO Administrator in vCenter

Navigate to vCenter Servers Home Page > Administration > single sign On->Users and Groups ->Groups-> Select the administrators group->Click “+” to add

Select your domain (vmlab.com) -> vCenterAdmins->Add-> Ok

cloudlab15-ADbasesetupforcloud-15

Verify the user.

cloudlab15-ADbasesetupforcloud-16

according to this step,we assume that above added group has the full SSO administration permissions now. but if your login into the vCenter using vSphere Webclient the you will get following issue as mentioned in the below note

*NOTE: vCenter Server is not listed in the inventory after installing or upgrading to vSphere 5.5 KB (2059528)*

Solution:

Navigate to vCenter Servers > Manage > Permissions, click on the “+” to add a user/group.

Add your domain Admin Group/user (in my case it is vCenterAdmins) as administrator role on vCenter Level as well.

cloudlab15-ADbasesetupforcloud-17

Now log in with the newly added vCenter SSO administrator and verify the permission.

cloudlab15-ADbasesetupforcloud-18

cloudlab15-ADbasesetupforcloud-19

*NOTE: SSO User has full administrative right on vCenter and every other vSphere Product who will integrate with vCenter*

5-Assign VCenter Permissions/Roles

In this section. We are going to assign different roles/permission on our AD Users which we have created above at vCenter level.

Navigate to vCenter Servers > Manage > Permissions, click on the “+” to add a user

cloudlab15-ADbasesetupforcloud-20

Assign a role, in my case it is (Virtual machine user(sample)), Click “Add”

cloudlab15-ADbasesetupforcloud-21

From Domain Select “VMLab”, search for user group (vCenterusers) which we created earlier and click “Add”-> click “OK” twice.

cloudlab15-ADbasesetupforcloud-22

Click “Ok”, verify user/group and role.

cloudlab15-ADbasesetupforcloud-23

Now “logout” and “login” with any user which is in “vCenterUser” group to verify the permissions.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s