ESX Virtualization

VMware ESXi, vSphere, VMware Backup, Hyper-V... how-to, videos....

VCSA 5.5 Installation and configuration – Part 2

By | Last Updated:

Shares

In the first part of the article we simply deployed the vCenter 5.5 VM from the OVF file – vCenter Server 5.5 Linux Appliance – Install/config ESXi 5.5 . Fast and efficient. While we successfully integrated the VCSA to the Windows domain and we could see the computer account in the AD, we still had to log in with the default VMware credentials (root/vmware) to the VCSA. Now it's time to finish the configuration and allows the possibility to use Single Sign-On and centralized logins by leveraging Windows AD. So that's why this article about VCSA 5.5 Installation and configuration – part 2.

VCSA 5.5 Installation and configuration – The configuration steps:

01. Login to the VCSA  appliance with login:  [email protected] pass: vmware (this is the default domain which is created by default – it's built-in the VCSA 5.5)

Go to Administration > Single Sign-On > Configuration

By default you see the default vSphere.local domain and localOS authentication that are those default ones.

vSphere 5.5 configuring SSL and SSO centralized logging

02. Click the Plus sign > Select Active Directory (integrated Windows Authentication)

You'll see a screen like the one below, where when you select the radio button for the AD authentication (first option) my lab domain got pre-populated there

vSphere 5.5 vCenter VCSA configuring SSL and centralized management

Now when this done you should end up with a screen like the one below. An additional Identity source has been added – our lab.local domain. Good, but that's not finish. It still require one more step.

vSphere 5.5 and configuring Windows Active directory authentication

03. Click the Groups TAB, then Select Administrators group. Then see the image for additional steps. I'm using my own AD account called Vladan, which is member of the Domain Administrators group in my Windows domain.

VCSA configuration

04. Next you have to give that user a permission to administer the top level objects in vCenter. You'll have to:

click vCenter > Select vCenter server > click again on the name of your vcenter server (see screenshot)

vcenter

Next you'll see a view like this. You click on Manage TAB > Permissions > Click the green Plus button and Click the Add button.

vcsa-config

You can then select from the drop-down list your domain and choose the user you want to give him a permission. After validation, the user appears like this:

vladan-user
Once done, you can log out, and log back in with [email protected] as an account… -:)

vSphere 5.5 configuration VCSA for Windows Based AD authentication

Now what if you want to give a less privileges to a user or a group of users?

You can of course add not only users, but also groups from AD. And you can add users/groups with less privileges if you want them just to manage some VMs. For example I've created (in my AD) a group called Students and put an AD account called student. I want this user only to use a VM, but nothing else..

Now I can easily attach this group to an existing template (virtual machine user) .Just click the High resolution graphic to see the details. I think you get the point…

Assigning less priviledges to a user (group)

And we can verify that the user cannot delete our VM….

Virtual Machine User - cannot delete a VM

Now, this is not new in vSphere 5.5. The administration of users, groups, and roles is part of the vSphere since the beginning. But the web based interface make doing things a slightly different ways, so I don't thinks its a bad to re-hash a bit…-:) Plus, there is still new folks which are just starting with IT, virtualization, and learning more about VMware techologies. That's why also this post was born.

Feel free to subscribe to our RSS feed or follow me on Twitter: @vladan

Did you like this post? SHARE it through any of those social networks -:).

Shares
4/5 - (1 vote)

About Vladan SEGET

This website is maintained by Vladan SEGET. Vladan is as an Independent consultant, professional blogger, vExpert x16, Veeam Vanguard x9, VCAP-DCA/DCD, ESX Virtualization site has started as a simple bookmarking site, but quickly found a large following of readers and subscribers.

Connect on: Facebook. Feel free to network via Twitter @vladan.

Comments

  2. arucard says

    Hi,

    I’ve just installed vcenter 5.5 appliance and when trying to configure users from AD DS (on SSO -> Users and Groups, click on Groups then Administrators and on bottom i’ve icon with plus) got screen Add Principals, and when changing domain to my AD DS domain i have empty list and got alert: Cannot load the users for the selected domain.
    Why? What i’ve done wrong?

    • Yvan says

      Hey arucard

      I had the exact same message. “Cannot load the users for the selected domain.”
      In my case the first DNS server entry was my firewall. Which does normally route dns request to my Active Directory pretty fine to the domain DNS servers… but not in this case.
      To solve the issue I set only the Active Directory DNS servers in the network settings of my VCA.
      Best regards
      Yvan

  3. Christian says

    Hello arucard,

    for me it was the same, go on again with users and user groups and then choose your domain. With the filters I’ve found my account. Then simply go again to the Administrators group, and then you find yourself when you select the domain. However, I can not !!! login with an AD user on WebClient. He says the password is incorrect. Is the syntax wrong?

  5. Damijan says

    Is there any way to invoke some Windows vCenter 5.1 configurations like resource pools, vDS and other important “time eating” things? If external SQL is/will be supported that could be done, but how to make conversion to embeded DB?

    • Vladan SEGET says

      Not quite sure what you’re referring to. The only limitations that’s not supported with VCSA is linked mode. Also vCenter server Heartbeat isn’t supported with VCSA. VUM has to be installed on separate Windows box, the same for View composer. ANd SSPI (security support provider interface) – Microsoft Windnows API used to perform authentication against NTLM or Kerberos.

      The limits (soft) of 100 hosts and 3000 VMs has also been confirmed.

  8. Ruf says

    First let me thank you for this article. It is excellent and succinct.

    My DNS was correct, and I still experienced the error, “Cannot load the users for the selected domain.”

    Here is what I did to resolve my problem:

    1. For Identity Source, use “Active Directory as a LDAP Server.”

    2. Configure the following identity source settings:

    For example, if my domain name is example.com, I would use the following:

    Base DN for users: dc=example,dc=com

    Domain name: example.com

    Domain alias: EXAMPLE

    Base DN for groups: dc=example,dc=com

    Primary server URL: ldap://:389

    Username: [email protected]

x