Search the VMware Knowledge Base (KB)
View by Article ID

Active Directory Authentication in VMware vRealize Log Insight (2069086)

  • 8 Ratings

Purpose

VMware vRealize Log Insight supports two authentication mechanisms for the web user interface:

  • Local authentication
  • Active Directory authentication

This article describes the username formats supported for Active Directory authentication.

Resolution

Active Directory authentication in VMware vRealize Log Insight works by specifying a domain and binding users credentials. With this information, vRealize Log Insight performs a DNS lookup of the domain specified to determine the domain controllers responsible for the specified domain. The binding user information is used to add Active Directory users and groups to Log Insight.

After Active Directory is configured on vRealize Log Insight and the appropriate users and groups are added, log in to vRealize Log Insight using appropriate Active Directory credentials. It is important to understand the formats the vRealize Log Insight accepts when attempting to authenticate against the Web UI.

These are the only supported formats to log in to a Log Insight instance: 

  • username - If only a username is provided, then vRealize Log Insight attempts to authenticate the user against the local users defined first.
    • If the username is not found locally and Active Directory integration is configured then vRealize Log Insight attempts to authenticate the user against Active Directory. If authentication against Active Directory fails then the user is unable to log in to vRealize Log Insight.
    • If the username is found locally, but the password is unsuccessful and Active Directory integration is configured then vRealize Log Insight attempts to authenticate the user against Active Directory with the UPN username@defaultdomain. If authentication against Active Directory fails then the user is unable to log in to vRealize Log Insight.

  • domain\username - If a username is specified in this format then it is assumed to be an Active Directory user. It is also assumed that the domain specified is a valid Active Directory domain with domain controllers. If the domain specified is not the default domain specified in the Active Directory configuration, then vRealize Log Insight still sends the request to the default domain specified.
    • If trusts are established between the default domain specified and the domain the user is defined in, then authentication succeeds if the password specified is correct.
    • If trusts are not established between the default domain specified and the domain the user is defined in, then authentication fails.

  • username@domain - If a username is specified in this format then it is assumed to be an Active Directory user. It is also assumed that the domain specified is a valid Active Directory domain with domain controllers. If the domain specified is not the default domain specified in the Active Directory configuration, then vRealize Log Insight still sends the request to the default domain specified.
    • If trusts are established between the default domain specified and the domain the user is defined in, then authentication succeeds if the password specified is correct.
    • If trusts are not established between the default domain specified and the domain the user is defined in, then authentication fails.

  • domain\username@upn - If a username is specified in this format then it is assumed to be an Active Directory user. It is also assumed that the domain specified is a valid Active Directory domain with domain controllers. If the domain specified is not the default domain specified in the Active Directory configuration, then Log Insight still sends the request to the default domain specified. This format is necessary when the User Principal Name (UPN) for a user is not a valid domain with domain controllers. If the UPN is a valid domain with domain controllers, then use the format in the next bullet.
    • If trusts are established between the default domain specified and the domain the user is defined in, then authentication succeeds if the password specified is correct.
    • If trusts are not established between the default domain specified and the domain the user is defined in, then authentication fails.

Restrictions

  • The Administrator account does not have a UPN defined by default. Either edit the account to add a UPN, such as administrator@ad.example.com, or use one of the other username formats.

  • It is not possible to authenticate to a Log Insight instance using a NetBIOS name instead of a domain name. For example, if you have an Active Directory domain called ad.example.com with a NetBIOS name defined as ad, then log in as either ad.example.com\username or username@ad.example.com. You would not be able to log in as ad/username.

  • A UPN can only be used if the UPN is a valid Active Directory domain. If the UPN is an alias for a domain then authentication does not succeed. For example, if you have an Active Directory domain called ad.example.com and a UPN defined as example.com then you would only be able to log in as example.com\username or username@example.com if example.com was a valid Active Directory domain with domain controllers.

Update History

10/09/2015 - Log Insight 3.0 released.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 8 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 8 Ratings
Actions
KB: