You must use the Directories Management feature to configure a link to Active Directory to support user authentication for all tenants and select users and groups to sync with the Directories Management directory.

About this task

There are two Active Directory connection options: Active Directory over LDAP, and Active Directory (Integrated Windows Authentication). An Active Directory over LDAP connection supports DNS Service Location lookup by default. With Active Directory (Integrated Windows Authentication), you configure the domain to join.

Prerequisites

  • Connector installed and the activation code activated.

  • Select the required default attributes and add additional attributes on the User Attributes page. See Select Attributes to Sync with Directory.

  • List of the Active Directory groups and users to sync from Active Directory.

  • For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN password.

  • For Active Directory Integrated Windows Authentication, the information required includes the domain's Bind user UPN address and password.

  • If Active Directory is accessed over SSL, a copy of the SSL certificate is required.

  • For Active Directory (Integrated Windows Authentication), when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members will be missing from the Domain Local group.

  • Log in to the vRealize Automation console as a tenant administrator.

Procedure

  1. Select Administration > Directories Management > Directories.
  2. Click Add Directory.
  3. On the Add Directory page, specify the IP address for the Active Directory server in the Directory Name text box.
  4. Select the appropriate Active Directory communication protocol using the radio buttons under the Directory Name text box.

    Option

    Description

    Windows Authentication

    Select Active Directory (Integrated Windows Authentication)

    LDAP

    Select Active Directory over LDAP.

  5. Configure the connector that synchronizes users from the Active Directory to the VMware Directories Management directory in the Directory Sync and Authentication section.

    Option

    Description

    Sync Connector

    Select the appropriate connector to use for your system. Each vRealize Automation appliance contains a default connector. Consult your system administrator if you need help in choosing the appropriate connector.

    Authentication

    Click the appropriate radio button to indicate whether the selected connector also performs authentication.

    Directory Search Attribute

    Select the appropriate account attribute that contains the user name.

  6. Enter the appropriate information in the Server Location text box if you selected Active Directory over LDAP or in the Join Domain Details text boxes if you selected Active Directory (Integrated Windows Authentication)

    Option

    Description

    Server Location - Displayed when Active Directory over LDAP is selected

    • If you want to use DNS Service Location to locate Active Directory domains, leave the This Directory supports DNS Service Location check box selected.

    • If the specified Active Directory does not use DNS Service Location lookup, deselect the check box beside This Directory supports DNS Service Location in the Server Location fields and enter the Active Directory server host name and port number in the appropriate text boxes.

    • If Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box under the Certificates heading and provide the Active Directory SSL certificate.

    Join Domain Details - Displayed when Active Directory (integrated Windows Authentication) is selected

    Enter the appropriate credentials in the Domain Name, Domain Admin User Name, and Domain Admin Password text boxes.

  7. In the Bind User Details section, enter the appropriate credentials to facilitate directory synchronization.

    For Active Directory over LDAP:

    Option

    Description

    Base DN

    Enter the search base distinguished name. For example, cn=users,dc=corp,dc=local.

    Bind DN

    Enter the bind distinguished name. For example, cn=fritz infra,cn=users,dc=corp,dc=local

    For Active Directory (Integrated Windows Authentication):

    Option

    Description

    Bind User UPN

    Enter the User Principal Name of the user who can authenticate with the domain. For example, UserName@example.com.

    Bind DN Password

    Enter the Bind User password.

  8. Click Test Connection to test the connection to the configured directory.
  9. Click Save & Next.

    The Select the Domains page appears with the list of domains.

  10. Review and update the domains listed for the Active Directory connection.
    • For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.

    • For Active Directory over LDAP, the domains are listed with a checkmark.

      Note:

      If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

  11. Click Next.
  12. Verify that the Directories Management directory attribute names are mapped to the correct Active Directory attributes.

    If the directory attribute names are not mapped correctly, select the correct Active Directory attribute from the drop-down menu.

  13. Click Next.
  14. Click Add to select the groups you want to sync from Active Directory to the directory.

    When you add a group from Active Directory, if members of that group are not in the Users list, they are added.

    Note:

    The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a significant amount of time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation. If your system performance degrades or if errors occur, close any unneeded applications and ensure that your system has appropriate memory allocated to Active Directory. If problems persist, increase the Active Directory memory allocation as needed. For systems with large numbers of users and groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.

  15. Click Next.
  16. Click Add to add additional users. For example, enter as CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.

    To exclude users, click Add to create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

  17. Click Next.
  18. Review the page to see how many users and groups are syncing to the directory.

    If you want to make changes to users and groups, click the Edit links.

  19. Click Push to Workspace to start the synchronization to the directory.

Results

The connection to the Active Directory is complete and the selected users and groups are added to the directory.

What to do next

If your vRealize Automation environment is configured for high availability, you must specifically configure Directories Management for high availability. See Configure Directories Management for High Availability.

  • Set up authentication methods. After users and groups sync to the directory, if the connector is also used for authentication, you can set up additional authentication methods on the connector. If a third party is the authentication identity provider, configure that identity provider in the connector.

  • Review the default access policy. The default access policy is configured to allow all appliances in all network ranges to access the Web browser, with a session time out set to eight hours or to access a client app with a session time out of 2160 hours (90 days). You can change the default access policy and when you add Web applications to the catalog, you can create new ones.

  • Apply custom branding to the administration console, user portal pages and the sign-in screen.

See the Directories Management Administration Guide for information about configuring these features.