Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring Active Directory authentication for ESX

Details

This article provides steps for showing that an account residing in Active Directory can have the password changed via Active Directory Users and Computers > Users > Reset Password and still continue to have log in privileges to the host through VMware Infrastructure (VI) Client without the need to change the password for the account on the ESX host.

Solution

To show that an account residing in Active Directory can have the password changed via Active Directory and still continue to have log in privileges to the host through VI Client:
 
Note: Follow these instructions precisely, including disabling Active Directory (AD) and closing all ports previously open to assure that you are starting from a known state.
  1. Log in as root to the ESX host using an SSH client.
  2. Disable AD with the command:

    # esxcfg-auth --disablead

    Note: The option is actually --disablead to Disable AD authentication.
  3. Check the firewall status for AD:

    # esxcfg-firewall -q activeDirectorKerberos

    You see a response similar to:

    Service activeDirectorKerberos is blocked.
  4. Add an account already present in AD:

    # useradd test3
  5. Set a password different than that configured in AD:

    # passwd test3
    Changing password for user test3.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
  6. Verify shell access for this account by creating a new shell:

    # ssh test3@localhost
    test3@localhost's     password:
    Last login: Wed Feb 14 11:53:25 2007 from localhost.localdomain
    [test3@supp91 test3]$
  7. In VirtualCenter, enable the account (test3) to have adequate permissions.
  8. Verify that the account is able to login to the host using VI Client with the password set by the passwd command above.
  9. Enable the console operating system to authenticate the user against an Active Directory server:

    # esxcfg-auth --enablead --addomain=ESX.com --addc=winaddc.esx.com
  10. Check the firewall status for AD:

    # esxcfg-firewall -q activeDirectorKerberos

    The response is similar to:

    Service activeDirectorKerberos is enabled.
  11. Verify that the account is able to login to the host using VI Client with the password set in Active Directory.
  12. Change the password for the account via Active Directory Users and Computers > Users > Reset Password to one that is different than originally used in AD, as well as one that is different than that used with the passwd command.
  13. Verify that the account is able to login to the host using VI Client with the password set by the passwd command above.
  14. Verify that the account is not able to login to the host using VI Client with the original AD password.
  15. Verify that the account is able to login to the host using the VI Client with the new AD password.

This Article Replaces

2289222

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
Actions
KB: