SSO and NSX/vShield Manager Integration
Article ID: 321387
Updated On:
Products
VMware NSX Networking
Issue/Introduction
VMware NSX for vSphere has to be paired with vCenter Server (VC) for enabling some features in NSX.
Configuring Lookup service in NSX is optional in both VCVA and Windows VC environments. Without the Lookup service configuration, the functionality of NSX does not affect at all with the exception of group based authentication.
Whenever you want to assign a role in NSX, you can assign a role to an SSO User or Group.If Lookup service is not configured, the group based role assignment would not work. For example, the user from that group would not be able to log in to NSX. This is because, we cannot fetch any group information from the SSO server. The group based authentication provider is only available when Lookup service is configured. User login where the user is explicitly assigned a role on NSX is not be affected. This means that the customer has to individually assign roles to the users and would not be able to take advantage of SSO groups.
Environment
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
Resolution
When does NSX contact SSO server?
For NSX, SSO server is one of the identity providers for authentication. For authentication in NSX, the user/group must be assigned a role on NSX. Whenever the user requests came from NSX NGC Plugin, the request is authenticated.
Authentication and authorization on NSX are done using providers:
- SSO authentication provider: In this case, the SSO server is contacted if Lookup service on NSX is configured. The SSO server authenticates the credentials and if the role is assigned, NSX allows the login. In the case of groups to which this user belongs, it fetches group information from the SSO server and uses this to determine role assigned on NSX.
- VC Authentication provider: In this case, the VC is contacted and the credentials are presented to it. VC Authenticates the user and informs NSX. NSX verifies if the role is assigned and allows the login.
Configuring Lookup service on NSX Prerequisites
- Lookup service or SSO server should be in time sync with NSX.
- Configure Time Settings on NSX either by configuring NTP server common between NSX and Lookup Service, or by configuring Time on NSX.
- After configuration of the Time settings, restart the appliance.
- Verify that time on both appliances NSX and VC/SSO/Lookup Service is in Sync.
- Ensure that VC/SSO FQDN name can be resolved. Use DNS Configuration to configure DNS servers.
- You have valid credentials for the user with SSO administrative rights to configure Lookup service.
- Ensure that SSO server being configured on NSX is the same SSO server used by the vCenter Server. This can be verified from the vpxd.cfg file on the vCenter Server appliance.
Configuring Lookup service from NSX
- Lookup service can be configured from NSX Manager Appliance management UI.
- Default port number for lookup service is 7444 in the case of VC 5.5 and for VC 6 onwards if greenfield deployment then 443 port.
- Provide IP address or FQDN for Lookup service.
- Provide valid credentials of User for configuring Lookup service. This user needs to be SSO / Lookup service administrator.
Common Problems Encountered in Troubleshooting
- The host is unreachable or Hostname cannot be resolved.
- Invalid user or credentials.
- The User does not have proper SSO administrative rights.
- Time Sync error, request expired error.
Configuring Lookup service on VSM [5.1.x,5.5.x]
Prerequisite:
- Lookup service or SSO server should be in time sync with VSM.
- Configure Time Settings on VSM either by configuring NTP server common between VSM and Lookup Service or by configuring Time on VSM.
- After configuration of Time settings, Appliance needs to be restarted.
- Verify that time on both appliances VSM and VC/SSO/Lookup Service are in Sync.
- Make sure that VC/SSO FQDN name can be resolved. Use DNS Configuration to configure DNS servers.
- You have valid credentials for the user with SSO administrative rights to configure Lookup service.
Configuring Lookup service from VSM
- Lookup service can be configured from VSM UI.
- Default port number for lookup service is 7444.
- Provide IP address or FQDN for Lookup service.
- Provide valid credentials of User for configuring Lookup service. This user needs to be SSO / Lookup service administrator.
- Change the log level to DEBUG for component com.vmware.vshield.vsm.security
- In the logs, you can see statements similar to:
"User : {} Authenticated by SSO Authentication Provider.""SSO user and its groups does not have any role on vSM""Exception was thrown while authenticating using …”
Additional Information
Default SSO / Lookup service administrator matrix for different VC versions:
Screenshot of Sample Information to be entered in VC for entering an AD server as identity source to SSO:
| vCenter Version | 5.0 | 5.1 | 5.5/6.0 |
| Linux Appliance | No SSO | root/vmware (unless user changed SSO rights or password) | [email protected]/vmware (unless user changed SSO rights or password) |
| Windows vCenter | No SSO | admin@system-domain. Password is set by user during SSO configuration | [email protected]. Password is set by user during SSO configuration |
Screenshot of Sample Information to be entered in VC for entering an AD server as identity source to SSO:
Feedback
Yes
No
Powered by
