To provide role-based access control to the workload domain vCenter Servers, you add your organization's Active Directory as an identity provider, assign specific roles to Active Directory security groups and configure password policies.
Prerequisites
-
Verify you have created a domain user in Active Directory with read-only access permission to the base DN for users and groups to use as the bind account.
-
Verify you have created security groups in Active Directory for each vCenter Server role you assign access to.
-
Verify you have created security groups in Active Directory for each single sign-on role you assign access to.
Obtain the Active Directory Root Certificate for Identity and Access Management for VMware Cloud Foundation
To prepare for the solution deployment, you must obtain the Active Directory Root Certificate using the PowerShell module for VMware Validated Solutions.
Procedure
-
Start PowerShell.
-
Replace the sample values in the variables below and run the commands in the PowerShell console.
$caFqdn = "rpl-ad01.rainpole.io" $caUsername = "Administrator" $caPassword = "VMw@re1!" $outDirPath = ".\certificates"
-
Perform the configuration by running the command in the PowerShell console.
Get-MscaRootCertificate -caFqdn $caFqdn -username $caUsername -password $caPassword -outDirPath $outDirPath -format cer -fullchain
Add Active Directory as Identity Provider to the Management vCenter Server for Identity and Access Management for VMware Cloud Foundation
To assign access to users using Active Directory security groups, you add the Active Directory domain as an identity provider over LDAP/LDAPS in vCenter Server.
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
- From the vSphere Client Menu, select Administration.
- In the Single sign on section, click Configuration.
Click the Identity provider tab.
Select Identity sources and click Add.
In the Add identity source dialog box, configure the following settings according to the design of this solution, configure the remaining settings according to your VMware Cloud Foundation Planning and Preparation Workbook.
Setting
Description
Identity source type
Active Directory over LDAP
Connect to
Specific domain controllers
Configure secure communication between vCenter Server and Active Directory, click Browse, select the Root CA certificate file, and click Add.
Select the newly configured Active Directory over LDAP identity source and click Set as default.
In the Set default identity source dialog box, click OK.
Assign vCenter Server Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation
You assign roles in vCenter Server to Active Directory security groups with global permissions. You can later assign access to users by adding them to the Active Directory security groups based on your organization's security controls.
You create and assign access to Active Directory security groups for the following roles in vCenter Server:
Administrator
Read-Only
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
- From the vSphere Client Menu, select Administration.
In the Access control section, click Global permissions.
On the Global Permissions page, click the Add.
In the Add permission dialog box, configure the following settings, and configure the remaining settings according to your VMware Cloud Foundation Planning and Preparation Workbook, and click OK.
Setting
Value
Propagate to children
Selected
To assign access to additional Active Directory security groups, repeat the previous step for all vCenter Server roles.
Assign vCenter Single Sign-On Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation
You assign roles in the vCenter Single Sign-On domain to Active Directory security groups. You can later assign access to users by adding them to the groups directly from Active Directory.
You assign access to Active Directory security groups for the Administrators role in vCenter Single Sign-On.
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
- From the vSphere Client Menu, select Administration.
In the Single-Sign On section, click Users and groups.
Click the Groups tab.
Select Administrators and click Edit.
In the Edit group dialog box, from the Add members drop-down menu, select the domain according to your VMware Cloud Foundation Planning and Preparation Workbook.
In the Search box, enter the Active Directory security group according to your VMware Cloud Foundation Planning and Preparation Workbook and press Enter.
Click Save.