Adding an Integrated Active Directory (IWA) Identity Source without the vSphere Web Client for vSphere 5.5/6.0
Article ID: 344927
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides steps to create an Active Directory (Integrated Windows Authentication) identity source using your machine account for service principal name (SPN) when you are unable to use the vSphere Web Client.
For instructions on configuring identity sources from the command line in vSphere 6.5/6.7, reference Using the CLI to add or configure SSO identity sources in vSphere 6.5 & 6.7
Symptoms:
For instructions on configuring identity sources from the command line in vSphere 6.5/6.7, reference Using the CLI to add or configure SSO identity sources in vSphere 6.5 & 6.7
Symptoms:
Environment
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 5.5.x
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 5.5.x
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server 6.0.x
Resolution
Currently, with vCenter Single Sign-On (SSO) 5.5 and Platform Services Controller (PSC) 6.0, there is no auto-discover feature to automatically query and add applicable identity sources from the environment. This results in the local OS (the local machine's users and groups) and the vSphere.local (the internal-domain for SSO) identity sources only being accessible. When there is an upgrade from SSO 5.1 to SSO 5.5, the earlier Active Directory identity source, if present, is converted to Active Directory as a LDAP server.
Note: With vSphere 6.0, these scripts are automatically packaged with the Appliance-based and Windows-based Platform Services Controller. Do not download the attached scripts and use them with vSphere 6.0
For vSphere 5.5
Prerequisites:
Prerequisites:
Before you proceed, ensure that:
- SSO 5.5 is installed on a supported Windows Server version or deployed with the vCenter Server Appliance.
- The SSO system is joined to the domain.
- You are logged in as a local administrator or root on the SSO system or vCenter Server Appliance.
- Download any one of these files attached to this article:
- vCenter Server for Windows - 2063424_sso-add-native-ad-idp_windows.zip
- vCenter Server Appliance - 2063424_sso-add-native-ad-idp_appliance.zip
- Extract the sso-add-native-ad-idp file from one of the downloaded zip files.
To create an Integrated Active Directory Identity Source on Windows:
- Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
- Run this command to determine the installation drive used for vCenter Single Sign-On:
reg query "HKLM\SOFTWARE\VMware, Inc.\VMware Identity Services" /v "InstallPath"
This will output the SSO Installation directory.
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Identity Services
InstallPath REG_SZ C:</u>\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\
- Create a directory vdcidentitysource on the system's drive determined from Step 2. For the following example, this will be C:\
- Move the sso-add-native-ad-idp file to the directory c:\vdcidentitysource\.
- Run this command to navigate to the vdcidetitysource directory:
cd c:\vdcidentitysource
- Run this command:
sso-add-native-ad-idp.cmd domain_name
For example:
sso-add-native-ad-idp.cmd vmware.com
Notes:
- To find the domain name to be used in the above cmdlet, run this command:
echo %userdnsdomain% - This creates an Integrated Windows Authentication identity source using your machine account as SPN.
- To find the domain name to be used in the above cmdlet, run this command:
To create an Integrated Active Directory Identity Source on vCenter Server Appliance:
- Using WinSCP (or any SCP client), connect to the vCenter Server Appliance and upload the sso-add-native-ad-idp.sh file to the /tmp/ directory.
- Connect to the vCenter Server Appliance via SSH.
For more information, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance section in the vCenter Server 5.5 and Host Management Guide.
- Run this command to navigate to the /tmp/ directory:
cd /tmp/
- Run this command to change permissions on the file:
chmod 777 sso-add-native-ad-idp.sh
- Run this command to create the Identity Source:
./sso-add-native-ad-idp.sh domain_name
For example:
./sso-add-native-ad-idp.sh vmware.com
Notes:
- To find the domain name to be used in the above cmdlet, run this command:
vpxd_servicecfg ad read | grep DOMAIN
- This creates an Integrated Windows Authentication identity source using your machine account as SPN.
- To find the domain name to be used in the above cmdlet, run this command:
After completing the preceding procedure, log in to vCenter Server with the [email protected] account and verify if you are able to add users.
For vSphere 6.0
Prerequisites:
Prerequisites:
Before you proceed, ensure that:
- PSC 6.0 is installed on a supported Windows Server version or deploy with the vCenter Server Appliance.
- The PSC system is joined to the domain.
- You are logged in as a local administrator or root on the PSC system or vCenter Server Appliance.
To create an Integrated Active Directory Identity Source on Windows:
- Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
- Navigate to this directory:
C:\Program Files\VMware\vCenter Server\VMware Identity Services\scripts
Note: This article is written using the default install drive. Adjust this location if you installed to a non-default drive.
- Run this command:
sso-add-native-ad-idp.cmd domain_name
For example:
sso-add-native-ad-idp.cmd vmware.com
Notes:
- To find the domain name to be used in the above cmdlet, run this command:
echo %userdnsdomain%
- This creates an Integrated Windows Authentication identity source using your machine account as SPN.
- To find the domain name to be used in the above cmdlet, run this command:
To create an Integrated Active Directory Identity Source on vCenter Server Appliance:
- Log in to the Platform Services Controller Appliance through console or an SSH session.
- Run this command to enable access to the Bash shell:
shell.set --enabled true
- Type shell and press Enter.
- Run this command to navigate to the scripts directory:
cd /usr/lib/vmidentity/tools/scripts/
- Run this command to create the Identity Source:
./sso-add-native-ad-idp.sh domain_name
For example:
./sso-add-native-ad-idp.sh vmware.com
Notes:
- To find the domain name to be used in the above cmdlet, run this command:
/opt/likewise/bin/domainjoin-cli query | grep Domain
- This creates an Integrated Windows Authentication identity source using your machine account as SPN.
- To find the domain name to be used in the above cmdlet, run this command:
After completing the preceding procedure, log in to vCenter Server with the [email protected] account and verify if you are able to add users.
Note: From 6.5 the script sso-add-native-ad-idp have been deprecated and are no longer available as part of this release
Additional Information
Attachments
Feedback
Yes
No
Powered by
