VMware vCenter: Howto add an Active Directory Domain as SSO Identity Source and using system session credentials

Attention: If plan a update to VMware vSphere/vCenter 5.1.0 Update 1. Currently this version contains a bug which prevents User from Login. VMware is working on an Fix. See KB2050941

=> Bug is solved in 5.1.0 Update 1a

Hi everybody,

since VMware vCenter 5.1 a new service SSO, the Single Sign On Service,  handles the authentication for all logons. The advantage is that multiple authentication sources are possible. For example Local User and groups, OpenLDAP Directory Services and of course Microsofts Active Directory.

This post is related to vCenter Version 5.1.0b and describes how to add an Active Directory Domain as Identity source and get this running by using the “Reuse session” Authentication Type. The last one is the tricky part :-).

Let us start. Start the vSphere WebClient with a login which owns the appropriate rights, for example admin@system-domain or any other user who owsn has the SSO administrator privileges, and navigate to Administration/Sign On and Discovery/Configration. In the default configuration two identity sources are added by default. The SSO database and the user management of the local server.

To add an Active Directory as identity source the following informations are required

  • The Domain fully qualified domain name
  • The Domains NetBIOS Name
  • At least one domain controller
  • The Base DN for the users and groups

The attached powershell script GetSSOParameters.ps1 should determine this for your domain. You must start the script with the fully qualified domain name as parameter. Try it!

PS c:\>GetNetBiosDomainName.ps1 yourdomain.com
Basic Config for VMware SSO Identity source
NAME: YOURDOMAIN
Primary Server: ldap://domaincontroller1.yourdomain.com
Secondary Server: ldap://domaincontroller2.yourdomain.com
BaseDN Users: DC=yourdomain,DC=com
Domain: yourdomain.com
Domain Alias: YOURDOMAIN
BaseDN Groups: DC=yourdomain,DC=com

If you have the necessary information you can add the Identity source. See Screenshot below. First try to add by specifing a Username and a password which have the rights to query the Active Directory

VMware SSO Identity Source with “Password” option

Press the Test Connection Button and normally this return that the connection is successfully established. Continue reading VMware vCenter: Howto add an Active Directory Domain as SSO Identity Source and using system session credentials

Advertisment to support michlstechblog.info

Script to get a list of computers connected to a Avocent KVM switch

Hello,

in his office, a customer have a few Avocent KVM switches to control some client computers in a remote room. He ask me about the possibility to get a list of all computers connected to these boxes, because he do not want to maintain any list by hand.

I research the documention but there is no (scripting) interface from which I could get such a list. SSH is only for connecting serial consoles, SNMP offers no OIDs for such a case.

Because of the costs, DSView isn’t a option. The only way seems to be to extracting the list by reading the Webfrontend HTML output. Let us do this 🙂

I wrote a script in powershell, at least version 2 is needed to handle selfsigned SSL certificates, which do the following:

  • Login to the Webfronted with https and SSL encryption by System.Net.HTTPWebRequest class to get the authentification cookie
  • Get the Device HTML  page by .NET class System.Net.Webclient and using Authentification cookie
  • Save HTML do a temporary file
  • Open the file with Internet Explorer
  • Get the URL to start a KVM session, computername and portnumber by  DOM

Script details

Define the User, Password, protocol and the devices:

# KVM User
[string]$sUser="Admin"
# KVM Password
[string]$sPassword="YourPassword"
# Protocol
[string]$sProtocol="https"
# Your Devices
[String[]]$aAvocentDevices=@("Console1.domain.local","Console2.domain.local")

Built HTTP POST text and disable SSL certificate warnings
Continue reading Script to get a list of computers connected to a Avocent KVM switch

Windows Update and Windows Search do not work

Hi,

a good friend of mine came to me last week because some services of Windows Vista on his notebook did not run as expect. In detail:

  • Windows Search service starts but terminates
    • EventID 7034: The Windows Search service terminated unexpectedly.  It has done this 4 time(s).

      Windows search terminates after start

    • EventID 7024: The Windows Search service terminated with service-specific error 2147749155 (0x80040D23)
    • EventID 1006: The Windows Search Service has failed to create the new search index. Internal error <4, 0x8004117f
    • EventID 9000: The Windows Search Service cannot open the Jet property store.
  • Windows Update service starts, but do not work, some errors are logged in C:\Windows\WindowsUpdate.log
    • 45c    DtaStor    FATAL: Failed to initialize datastore, error = 0xC8000247
    • 45c    AU    FATAL: Failed to get session from datastore, error = 0xC8000247
    • 45c    AU    FATAL: Failed to Unserialize from data store, error = 0xC8000247
  • No Windows Update File could installed by double clicking a msu File.
  • Cryptocraphic service do not run as expected:
    • Signature for Windows builtin programs cannot be verified, for example mmc.exe. Error Message:

      Do you want the following program to allow changes to this computer?

      UAC Message: builtin executables could not verified.

    • Cause: The folder c:\windows\system32\catroot2 is empty or/and some errors are logged in file C:\Windows\System32\catroot2\dberr.txt:
      CatalogDB: 21:39:37 28.02.2013: JetInit Corruption
      CatalogDB: 21:39:37 28.02.2013: catdbsvc.cpp at line #747 encountered JET error -583
      CatalogDB: 21:39:37 28.02.2013: catdbsvc.cpp at line #961 encountered JET error -583
      CatalogDB: 21:39:37 28.02.2013: catdbsvc.cpp at line #6636 encountered JET error -583
    • EventID 257: The following information was included with the event: -583 the message resource is present but the message is not found in the string/message table

It seems that all services which uses the Window Jet Database engine are affected.

Solution

Continue reading Windows Update and Windows Search do not work

Windows: Disable or enable assigning of a drive letter when plugin a removeable device

Hi,

the default setting in Windows Vista, 7 or 8 is to assign a drive letter when you plugin a removable device. But sometimes you want to prevent Windows from doing that, for example security reasons.

You can control this behaviour with the mountvol command.  The following command line disable the automatical assignment.


mountvol /N

to enable the auto assignment again execute

mountvol /E

Michael

Apache: Enable Server side includes SSI for a virtual directory

Hi,

short post as reminder how to enable Server Side Includes on a virtual directory.

mod_include must be enabled. MimeType for text/html must associated with .shtml file extension. Sample config for SSI looks like these:


<Directory "D:/user/www/virtualdirectory/">
    Options Indexes FollowSymLinks MultiViews ExecCGI Includes
    AllowOverride All
    Order allow ,deny
    Allow from all
    Require all granted
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</Directory>

See you Michael

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…

Exit mobile version