Friday, December 29, 2017

VMware single sign-on (SSO) with Active Directory

After installing VMware vCenter Server Appliance (VCSA) 6.5, we only have a "vSphere.local" single sign-on (SSO) domain where we can create users and groups. But wouldn't it be better if you could integrate your existing Microsoft Active Directory (AD) environment with your organizational structure of groups and users? You don't have to start over creating these just for VMware. We just need to link the AD environment to the VMware SSO.

We also have to grant some permissions to the enterprise AD administrator, otherwise, he or she will not be able to manage the environment.

I assume that you have already fired up the vSphere web client and logged in using the administrator@vsphere.local account and password we set up in our previous post. Once done, click the System Configuration button on the main screen. You'll end up in the System Configuration section. Click the Nodes section on the left.
vCenter Server configuration Select nodes
vCenter Server configuration Select nodes
All nodes will appear below. As we have only a single node (we're not using vCenter's linked mode), select the node > Manage tab > Active Directory > Join button.
Join vCenter to Active Directory
Join vCenter to Active Directory
Enter the necessary details. As you can see, a message says you have to reboot the node manually.
Reboot after joining vCenter to Active Directory
Reboot after joining vCenter to Active Directory
After the reboot, you'll have to wait a few minutes until all services are up and the vSphere web client initializes itself.
Log back in, and from the main screen, click the Home button and Administration. Under Single Sign-On, select the Configuration menu, the Identity Source tab and then click the green + sign to Add identity source.
vSphere 6.5 Select an identity source type
vSphere 6.5 Select an identity source type
Four options appear. We'll stick with Active Directory (Integrated Windows Authentication).
On the next page, the domain should already display with the Use machine account radio button pre-selected.
Add an identity source to vSphere single sign on
Add an identity source to vSphere single sign on
Click the Next button and then Finish. You should see the Identity Sources tab populated with your Active Directory.
Windows AD added as an identity source
Windows AD added as an identity source
As mentioned at the beginning, we'll need to grant a few permissions for the domain administrator (or any other account) to manage the vSphere environment.
On the same page, move one level up to the Access control section and select Global Permissions.
Click Add a new user and then select the user from the Active Directory.
Select a user from your domain to assign global permissions
Select a user from your domain to assign global permissions
Next, validate by clicking the OK button.
This is just first part of the procedure. We still have to add the domain administrator to some vSphere.local groups. We'll do that in a second.
Select Users and Groups > Groups tab > Administrators. Add the domain admin account to the local administrators group.
Add the domain administrator to a local administrators group
Add the domain administrator to a local administrators group
Click the Add button and validate with the OK button. Repeat the procedure for ComponentManager.Administrators, LicenseService.Administrators, CAAdmins, SystemConfiguration.Administrators, SystemConfiguration.BashShellAdministrators and Users.
You should now be able to log in as a domain admin. And if you're already logged in as a domain admin on your system, you can simply check the box to Use Windows session authentication.
Log in using Windows session authentication
Log in using Windows session authentication
You can then see in the top right corner that you have logged in as domain admin.
Logged in as domain Administrator
Logged in as domain Administrator

How to add an ESXi 6.5 host to vCenter Server (VCSA) 6.5

In our simple example here, we'll add a host that we have deployed and configured in one of our previous posts. This host does not have any special configuration just yet, but we still want to manage this host through our vCenter server and vSphere web client.

Open your vSphere web client and go to Home > Hosts and clusters.
Hosts and clusters view
Hosts and clusters view
Then right-click the MainDatacenter object and select Add Host.
Add host
Add host
This operation will start a new wizard.
Enter name and location
Enter name and location
We are able to use IP addresses as well, but DNS is more convenient and more flexible. The next page invites us to enter a user name (root) and password that we created during the initial installation of the ESXi host.
Root password
Root password
Again, you'll have to accept the default security certificate. Just click Yes to continue connecting to the ESXi host. As you can see, our vCenter server appliance is running on that host.
VMs on the host
VMs on the host
Next, we have the option to accept the default evaluation license or assign a new license to the host. Note that we can manage licenses through the vCenter user interface (UI) but do not have to worry about that now.
Assign a license
Assign a license
Lockdown mode is a mode which disables the option to log in directly to the host via the HTML5 host client (https://IP_of_host/ui ) or via the old Windows C++ (legacy) client.
Note that this is useful for environments where security really matters and where you want to lock down pretty much everything. In this, you would have only a single management access to the entire VMware infrastructure. Selecting the "strict" option allows only management through the vCenter server.
Lockdown mode
Lockdown mode
As we have not created any clusters within our datacenter, we don't need to specify where (to which cluster) to add this host.
Finalization
Finalization
This is the final screen. Again, you can still go back to correct or change things before clicking the Finish button. We'll exit like this.
This is it. We have successfully configured VCSA 6.5 and added our first host. It's a good start.
Final screen
Final screen
People who do not have much experience with VMware infrastructure or who manage only single hosts might be quite surprised by this (very rich) environment where we talk about datacenters, clusters and so on.
The management is part of VMware vSphere, as their licensing packaging focuses very closely around this. The least expensive "Essential" bundle is one where you can manage three hosts via one vCenter server. It is basically the cost of a single Microsoft Windows Server Essentials license.
In my next post, I explain how to configure VMware for single sign-on (SSO) with Active Directory.

Install VMware vCenter (VCSA) 6.5: Deployment

You have to have at least one ESXi host installed if you want to deploy VMware VCSA 6.5. This is because the ESXi host will act as a target, as a support to run the VCSA virtual machine (VM). So how do you install and configure VMware vCenter 6.5 in a small business environment?

The vCenter Server Appliance 6.5 has two main parts:
  1. vCenter Server
  2. Platform Services Controller (PSC)
The VMware PSC enables management of certificates via the VMware certificate authority, licensing services and the vCenter single sign-on (SSO) authentication service. The latter enables communication with vSphere components via a secure token exchange mechanism.
While most environments will be fine with all components installed as a single VM, you also have the option to install a separate VM for the PSC and another VM for vCenter. This case applies to multi-site environments where multiple linked vCenter servers communicate with a single PSC (or multiple PSCs behind a load balancer). There are other cases where such a configuration is necessary, but this is not the subject of this post.
Let’s get started with the single VM deployment we’ll do today. As usual, you’ll need a proper DNS configuration. So make sure to create forward and reverse DNS records on your DNS server before you start your deployment.
Depending on your system, you have a choice of running the installer from a Windows, Linux or Mac workstation. Pretty cool if you ask me, as you can be a Mac user. The VCSA is one big ISO file, which you’ll need to download from VMware. After mounting the ISO, you’ll find a file and folder structure that is easy to navigate.
VMware VCSA 6.5 Mac installer
VMware VCSA 6.5 Mac installer
The installer starts the wizard, which will walk you through installation and configuration. The process has two main parts:
  • Stage 1 – Deploy the appliance
  • Stage 2 – Set up the appliance
Let’s get started. The first screen is essentially just a recap informing you that you’ll need an ESXi host (or another vCenter server) to start the deployment.
Deployment wizard
Deployment wizard
Then we’ll need to accept the licensing agreement.
Accept the licensing agreement
Accept the licensing agreement
The next step is to choose which deployment type we’re doing. As stated earlier, you can deploy separate VMs or a single VM. When choosing separate VMs, you can run the installer to deploy just the vCenter server or just a PSC.
Choice of server topology
Choice of server topology
Next, we’ll need to specify the appliance deployment target. In our case, we’re deploying directly to the ESXi host.
Specify deployment target
Specify deployment target
Then we’ll need to accept the SSL certificate, an untrusted one by default.
Accept certificate warning
Accept certificate warning
The next step involves setting up the name for the VM and also a root password. Make sure to remember this password, as you’ll need it later when configuring the appliance.
Set the root password
Set the root password
On the next screen, you can choose the size of the appliance and also specify the amount of RAM, the number of vCPUs and the amount of storage space to use.
Deployment size
Deployment size
The next screen will invite you to select a target datastore. I’m picking a local datastore for now, but this can be a shared datastore too, depending on the configuration of this ESXi host. This window shows all datastores present on this ESXi host.
You can check the “Enable Thin Disk Mode” box to save space on the target datastore by not allocating the entire space right now.
Select a datastore
Select a datastore
The last screen before the final one asks you to configure the network. Once again, make sure you created your DNS records for the VCSA. You can also use DHCP if you want, but I’d recommend going with a static IP.
Final screen
Final screen
After that, you’ll see the progress bar.
Progress in the VMware VCSA 6.5 Mac installer
Progress in the VMware VCSA 6.5 Mac installer

Click the Continue button to proceed with the configuration steps.

Starting the VMware vCenter (VCSA) 6.5 configuration
Starting the VMware vCenter (VCSA) 6.5 configuration

A nice wizard will guide you through the rest of the configuration process.
Stage 2 of VCSA configuration
Stage 2 of VCSA configuration
The next screen invites you to set up the time synchronization mode. There is a choice between two modes: one with the ESXi host or another via NTP servers (internal or external).
Select a time synchronization option
Select a time synchronization option
Configure single sign-on (SSO) on the next screen, which will ask you to provide an SSO domain name and administrator’s password. You’ll use this for initial configuration. (Note that this is not the root account, which is used for command line configuration).
By default, VMware vSphere proposes a “vsphere.local” domain, but you can choose anything else. I’d recommend picking something different from the name of your Microsoft domain with Active Directory, just to differentiate the two.
SSO configuration
SSO configuration
After this, the next screen invites you to join the VMware Customer Experience Improvement Program (CEIP), which is optional.
Join the VMware's Customer Experience Improvement Program CEIP
Join the VMware's Customer Experience Improvement Program CEIP
Here we have a final screen inviting you to review everything for accuracy. You still have the possibility to hit the Back button and correct things if you need to.
Review your configuration
Review your configuration
After this, you’ll have to confirm again in order to proceed.
Confirm starting the configuration process
Confirm starting the configuration process
You’ll see the progress bar move forward. You have time to go have a cup of tea.
Starting the configuration
Starting the configuration
When the installation finishes, you should see a success message with a green check mark. As you can see, you also have the vSphere web client URL, which you’ll need to access the vCenter server. Click the first URL to continue.
Successful configuration message
Successful configuration message
We end up with a browser window where we can enter a user name and password necessary for the connection. Note that we’ll be using the default SSO administrator’s account (Administrator), which we set up during the installation and configuration process, as well as the SSO domain name (vsphere.local, or whatever domain you specified during SSO configuration).
TIP: Please note that you’ll still need Adobe Flash installed on your system, as the HTML5 web-based client does not allow you to implement and configure all vSphere 6.5 features.
The connection string for the HTML5 client is https://vcsa65-01.lab.local/ui.
Enter administrator@vsphere.local (or @yourdomain) for the user and the password you assigned during the setup process.
vSphere web client login screen
vSphere web client login screen
After connecting, you’ll see the initial vCenter Server screen.
Connecting to vCenter
Connecting to vCenter
We’ll go forward from here. As you can see, one of the first things to do is to apply a license to your vCenter Server as well as your ESXi hosts. You can manage all licensing through vCenter Server.
At first, I usually Hide All Getting Started Pages so I don’t have to see them when I click on the different components of the architecture. You may want to leave them on.
Hide all getting started pages
Hide all getting started pages
Another initial thing to do after login is to create a new datacenter object. The easiest way to do this is to right-click the vCenter object and select New Datacenter.
Create a datacenter object
Create a datacenter object
After this, enter a name for your datacenter.
Enter a meaningful name
Enter a meaningful name
We can do the same to create a cluster object. As before, right-click the datacenter object we just created, and create a new cluster.
Create a cluster object
Create a cluster object
Once again, enter a meaningful name and validate the options by clicking the check boxes next to the features that vSphere 6.5 offers, depending on which ones you want or plan to use.
Options for creating a cluster object
Options for creating a cluster object
Note that this is only a basic configuration with an overview of what’s possible. We’ve learned the basic datacenter objects and their placement. The way in which you’ll decide to create the structure depends only on your environment. If your enterprise already has some sort of administration and security environment, such as Microsoft Active Directory, then you would essentially follow the same logic.

To configure a comprehensive storage solution (let’s say VMware vSAN), you’ll have to satisfy certain hardware and software requirements, and also networking. You might want to check out our recent VMware vSAN article where we talk about this hyper-converged solution.
Others vSphere features such as vMotion, high availability and fault tolerance require some networking configuration as well, but we won’t go into those details in this article.


VMware vSphere 6.5 is a mature platform with a large ecosystem of backup, replication and monitoring products. Many hardware manufacturers are integrating their products and plug-ins into the vSphere web client in order to manage hardware through the vCenter user interface. Unfortunately for now, the pure HTML5 client is not yet finished and only some features are available. The old Windows C++ client no longer works for vCenter Server connections. It still works for individual ESXi hosts.

In the next post of this series I will show you how to add an ESXi 6.5 host to vCenter Server (VCSA) 6.5.

How to install and configure an ESXi 6.5 host

You might want to know the other methods for installing ESXi 6.5. Where can you install ESXi 6.5 – to the local disk or elsewhere? In fact, there are five different ways to install and deploy VMware ESXi 6.5:

  1. Installation to a USB stick – the server boots from the USB stick.
  2. Installation to the local SATA/SAS or FC drive (RAID1)
  3. Installation to an SD flash card (certain hardware manufacturers provide a mirrored “double” slot)
  4. Boot from LUN via a hardware iSCSI card, FC or FCoE (fiber channel over Ethernet)
  5. Stateless booting via VMware auto-deployment
What do you need? Basically, two things:
  • A hardware device that is on the VMware hardware compatibility list (HCL)
  • An ESXi installation ISO, which you can download from the VMware website, and which you’ll burn to a CD-ROM
Depending on how you’ll connect a storage device to the host, you should have a server with at least two network cards: the first one for the management network and the second one for the storage network. I assume that you’re using either shared storage such as iSCSI storage array or network attached storage (NAS).

Step 1: Installation ^

After you have satisfied both requirements and you’re ready to go, set up your BIOS to boot from CD-ROM. The installer will present you with the following screen to get started:
The VMware ESXi 6.5 installer
The VMware ESXi 6.5 installer
The installer starts automatically within a few seconds.
Loading the VMware ESXi 6.5 installer
Loading the VMware ESXi 6.5 installer
So far, so good. The next screen says you can install ESXi 6.5 on pretty much everything, but only systems that are on the HCL are supported.
VMware ESXi 6.5 compatibility
VMware ESXi 6.5 compatibility
Hit Enter and continue with the installation. Accept the end-user license agreement (EULA) and hit the F11 key to continue. The next screen presents you with a choice of destination. Where do you want to install ESXi 6.5?
Installing to a local volume
Installing to a local volume
Make your choice, hit Enter and continue. The next screen will invite you to select a keyboard language and set up a root password. Root is a local account with all privileges; this is a required step. Make sure you pick the right language for your keyboard, as you’ll need to enter a complex password for the account.
Keyboard language and password
Keyboard language and password
Hit the F11 key once again to start the installer. It’ll take just a few minutes to install ESXi 6.5. It is a very lightweight product that needs only a few gb of space.
Start Installation
Start Installation
After a brief moment, you’ll see a screen asking you to eject the installation media and hit Enter to reboot the host. Now you can change the BIOS boot sequence back, though if the boot sequence is CD-ROM > Hard Disk, you’ll be fine.
Remove the installation media
Remove the installation media
We’re done with the installation. The next step will be configuration.

Step 2: Configuration. ^

Log in to the system first. You’ll need to be at the console.
Log in to configure ESXi
Log in to configure ESXi
Next, navigate with the down arrow key to select the “Configure Management Network” menu. Hit Enter to access the menu.
Network configuration
Network configuration
Check the network cards that the installer recognizes. Sometimes when you’re installing on non-certified hardware, the installer may have problems recognizing some network cards, so be aware of that.
Hit Enter to go one level deeper and see the network adapters, VLAN settings and the other network configuration options.
Network adapters
Network adapters
The next submenu allows you to connect or disconnect the network adapters you wish to use.
Connect or disconnect network adapters
Connect or disconnect network adapters
Let’s hit the Esc key to go back and configure our network settings.
IP configuration
IP configuration
Hit the Enter key to validate the selection. This will return us to the previous menu, one level higher. Use the arrow key to go down one step and disable the IPv6 configuration completely. Use the up arrow and Space keys to uncheck the selection.
Disable IPv6
Disable IPv6
Again, validate by hitting the Enter key to go one level higher. Then use the down arrow key again to move to the next menu: domain name server (DNS) configuration.
Quick note: You should create your forward and reverse DNS records on your DNS server before configuring the DNS here.
DNS configuration
DNS configuration
Hit Enter once more. We’re almost done.
DNS suffixes
DNS suffixes
Enter any suffixes required for your DNS. You’ll get a prompt to reboot, which will validate the configuration. Note that there is only single reboot necessary! And this is only because we disabled the IPv6 configuration. This means that if you left the IPv6 in place, you wouldn’t need to reboot ESXi 6.5, not even once.
Confirm and reboot
Confirm and reboot

Step 3: Connect to the host ^

We can connect to a single host two ways:
  • Via a traditional Windows C++ client (you’ll need to install it on your Windows workstation)
  • Via an HTML 5 web-based browser (no software to install)
I’m sure everyone’s familiar with the traditional Windows client, so let me show you the connection via an HTML5 web-based browser.
The URL to remember is:
https://fqdn_of_your_ESXi/ui
or
https://IP_of_your_ESXi/ui
ESXi web client
ESXi web client
Well, this is it. We have successfully configured our ESXi 6.5 hypervisor. You can start creating VMs on local storage or wait for one of our future posts where we’ll be configuring shared storage (iSCSI or NFS).

In my next post I will explain how to deploy VMware vCenter (VCSA) 6.5