{"id":396,"date":"2013-03-19T07:53:34","date_gmt":"2013-03-19T06:53:34","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=396"},"modified":"2013-07-10T21:34:06","modified_gmt":"2013-07-10T19:34:06","slug":"vmware-vcenter-howto-add-a-active-directory-domain-as-identity-source-using-session-credentials","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/vmware-vcenter-howto-add-a-active-directory-domain-as-identity-source-using-session-credentials\/","title":{"rendered":"VMware vCenter: Howto add an Active Directory Domain as SSO Identity Source and using system session credentials"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_396 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_396')){$('.twoclick_social_bookmarks_post_396').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"VMware%20vCenter%3A%20Howto%20add%20an%20Active%20Directory%20Domain%20as%20SSO%20Identity%20Source%20and%20using%20system%20session%20credentials\",\"the_excerpt\":\"Attention%3A%20If%20plan%20a%20update%20to%20VMware%20vSphere%2FvCenter%205.1.0%20Update%201.%20Currently%20this%20version%20contains%20a%20bug%20which%20prevents%20User%20from%20Login.%20VMware%20is%20working%20on%20an%20Fix.%20See%20KB2050941%0D%0A%3D%26gt%3B%20Bug%20is%20solved%20in%205.1.0%20Update%201a%0D%0A%0D%0AHi%20everybody%2C%0D%0A%0D%0Asince%20VMware%20vCenter%205.1%20a%20new%20service%20SSO%2C%20the%20Single%20Sign%20On%20Service%2C%C2%A0%20handles%20the%20authentication%20for%20all%20logons.%20The%20advantage%20is%20that%20multiple%20authen%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/vmware-vcenter-howto-add-a-active-directory-domain-as-identity-source-using-session-credentials\\\/\",\"post_id\":396,\"post_title_referrer_track\":\"VMware+vCenter%3A+Howto+add+an+Active+Directory+Domain+as+SSO+Identity+Source+and+using+system+session+credentials\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><h3><span style=\"color: #c0c0c0;\"><strong>Attention: If plan a update to VMware vSphere\/vCenter 5.1.0 Update 1. Currently this version contains a bug which prevents User from Login. VMware is working on an Fix. See <a title=\"SSO Bug\" href=\"http:\/\/kb.vmware.com\/selfservice\/microsites\/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=2050941\" target=\"_blank\"><span style=\"color: #c0c0c0;\">KB2050941<\/span><\/a><\/strong><\/span><\/h3>\n<p>=&gt; Bug is solved in 5.1.0 Update 1a<\/p>\n<p>Hi everybody,<\/p>\n<p>since VMware vCenter 5.1 a new service SSO, the Single Sign On Service,\u00a0 handles the authentication for all logons. The advantage is that multiple authentication sources are possible. For example Local User and groups, OpenLDAP Directory Services and of course Microsofts Active Directory.<\/p>\n<p>This post is related to vCenter Version 5.1.0b and describes how to add an Active Directory Domain as Identity source and get this running by using the &#8220;Reuse session&#8221; Authentication Type. The last one is the tricky part :-).<\/p>\n<p>Let us start. Start the vSphere WebClient with a login which owns the appropriate rights, for example admin@system-domain or any other user who owsn has the SSO administrator privileges, and navigate to Administration\/Sign On and Discovery\/Configration. In the default configuration two identity sources are added by default. The SSO database and the user management of the local server.<\/p>\n<p>To add an Active Directory as identity source the following informations are required<\/p>\n<ul>\n<li>The Domain fully qualified domain name<\/li>\n<li>The Domains NetBIOS Name<\/li>\n<li>At least one domain controller<\/li>\n<li>The Base DN for the users and groups<\/li>\n<\/ul>\n<p>The attached powershell script\u00a0GetSSOParameters.ps1 should determine this for your domain. You must start the script with the fully qualified domain name as parameter. Try it!<br \/>\n<code><br \/>\nPS c:\\&gt;GetNetBiosDomainName.ps1 yourdomain.com<br \/>\nBasic Config for VMware SSO Identity source<br \/>\nNAME: YOURDOMAIN<br \/>\nPrimary Server: ldap:\/\/domaincontroller1.yourdomain.com<br \/>\nSecondary Server: ldap:\/\/domaincontroller2.yourdomain.com<br \/>\nBaseDN Users: DC=yourdomain,DC=com<br \/>\nDomain: yourdomain.com<br \/>\nDomain Alias: YOURDOMAIN<br \/>\nBaseDN Groups: DC=yourdomain,DC=com<br \/>\n<\/code><br \/>\nIf you have the necessary information you can add the Identity source. See Screenshot below. First try to add by specifing a Username and a password which have the rights to query the Active Directory<\/p>\n<figure id=\"attachment_409\" aria-describedby=\"caption-attachment-409\" style=\"width: 391px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssopass.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-409 \" alt=\"VMware SSO Identity Source with &quot;Password&quot; option\" src=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssopass.png\" width=\"391\" height=\"443\" srcset=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssopass.png 558w, https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssopass-264x300.png 264w\" sizes=\"auto, (max-width: 391px) 100vw, 391px\" \/><\/a><figcaption id=\"caption-attachment-409\" class=\"wp-caption-text\">VMware SSO Identity Source with &#8220;Password&#8221; option<\/figcaption><\/figure>\n<p>Press the Test Connection Button and normally this return that the connection is successfully established. <!--more--><\/p>\n<figure id=\"attachment_411\" aria-describedby=\"caption-attachment-411\" style=\"width: 294px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configsuccess.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-411\" alt=\"Config successfully verified\" src=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configsuccess.png\" width=\"294\" height=\"112\" \/><\/a><figcaption id=\"caption-attachment-411\" class=\"wp-caption-text\">Config successfully verified<\/figcaption><\/figure>\n<p>But these way has a significant disadvantage. If you change your password, the SSO service could not connect to Active Directory anymore :-(. In large AD environments it is often not allow to\u00a0 set the &#8220;Password never expires&#8221; property for a user. From security reasons the password must frequently changed. Therefore each time you change your password you have to alter the Identity Source Entry as well.<\/p>\n<p>The better choice is to use the &#8220;Reuse session&#8221; Authentication Type option.<\/p>\n<figure id=\"attachment_410\" aria-describedby=\"caption-attachment-410\" style=\"width: 391px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssosession.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-410 \" alt=\"VMware SSO Identity Source with &quot;Reuse Session&quot;\" src=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssosession.png\" width=\"391\" height=\"443\" srcset=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssosession.png 558w, https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configssosession-264x300.png 264w\" sizes=\"auto, (max-width: 391px) 100vw, 391px\" \/><\/a><figcaption id=\"caption-attachment-410\" class=\"wp-caption-text\">VMware SSO Identity Source with &#8220;Reuse Session&#8221;<\/figcaption><\/figure>\n<p>But I did not get this running within the Webclient GUI. A GSSAPI Error occured.<\/p>\n<figure id=\"attachment_412\" aria-describedby=\"caption-attachment-412\" style=\"width: 446px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configErrorGSSAPI.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-412 \" alt=\"GSSAPI Error\" src=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configErrorGSSAPI.png\" width=\"446\" height=\"133\" srcset=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configErrorGSSAPI.png 557w, https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2013\/03\/configErrorGSSAPI-300x89.png 300w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/a><figcaption id=\"caption-attachment-412\" class=\"wp-caption-text\">GSSAPI Error<\/figcaption><\/figure>\n<p>and in the SSO imsTrace Logfile ( VMware\\Infrastructure\\SSOServer\\logs\\imsTrace.log ) some errors has been written:<\/p>\n<ul>\n<li>(LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, vCenter.yourdomain.com,,,,LDAP Server connection test failed<\/li>\n<li>javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]]<\/li>\n<li>GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))<\/li>\n<li>KrbException: Message stream modified (41)<\/li>\n<\/ul>\n<p>But if Kerberos is properly configured this should also work. The SSO Server is running with the Windows SYSTEM Account. If the service connects to the AD it uses the session from the computer object and therefore reading and processing a query must be possible , and authentication too. Unfortunatly the &#8220;reuse session&#8221; can&#8217;t be force without pressing the &#8220;Test connection&#8221; Button. Forcing from commandline isn&#8217;t also possible. So I tried a hack.<\/p>\n<p>I added the identity source with the User\/Password Option and then I tried to change the Authentication type directly in the SSO Database. Do connect to the database I installed the Microsoft SQL Server Management Studio for Express Editions and connect to the SSO Database (for me localhost\\VIM_SQLEXP) with SQL Authentication and with the SSO Database Admin (Default User: RSA_DBA) which was specified at installation time. When you are connected, you have to determine your Identity Source Entry with the following SQL query.<\/p>\n<pre class=\"brush: sql; title: ; notranslate\" title=\"\">\r\nSELECT\r\n&#x5B;NAME]\r\n,&#x5B;VALUE]\r\nFROM &#x5B;RSA].&#x5B;dbo].&#x5B;IMS_CONFIG_VALUE] where NAME like 'ims.ldap-slots.%' order by NAME\r\n<\/pre>\n<p>this should return something like this:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nNAME\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 VALUE\r\nims.ldap-slots.2.gssapi-supported\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 false\r\nims.ldap-slots.2.password\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3.....\r\nims.ldap-slots.2.primary-url\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ldap:\/\/domaincontroller1.yourdomain.com\r\nims.ldap-slots.2.secondary-url\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ldap:\/\/domaincontroller2.yourdomain.com\r\nims.ldap-slots.2.username\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3...\r\nims.ldap-slots.2-global.gssapi-supported\u00a0\u00a0 false\r\nims.ldap-slots.2-global.password\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3...\r\nims.ldap-slots.2-global.primary-url\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ldap:\/\/domaincontroller1.yourdomain.com\r\nims.ldap-slots.2-global.secondary-url\u00a0\u00a0\u00a0\u00a0\u00a0 ldap:\/\/domaincontroller2.yourdomain.com\r\nims.ldap-slots.2-global.username\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3....\r\n<\/pre>\n<p>now identify the Number of your Entry. In this case ims.ldap-slots.<span style=\"color: #ff0000;\">2<\/span>.xxx =&gt; &#8220;2&#8221;.\u00a0 Switch the authentication type directly in the config table of the database by this SQL UPDATE statement:<\/p>\n<pre class=\"brush: sql; title: ; notranslate\" title=\"\">\r\nUPDATE &#x5B;RSA].&#x5B;dbo].&#x5B;IMS_CONFIG_VALUE] SET VALUE='true' where NAME = 'ims.ldap-slots.2.gssapi-supported'\r\nUPDATE &#x5B;RSA].&#x5B;dbo].&#x5B;IMS_CONFIG_VALUE] SET VALUE='true' where NAME = 'ims.ldap-slots.2-global.gssapi-supported'\r\nUPDATE &#x5B;RSA].&#x5B;dbo].&#x5B;IMS_CONFIG_VALUE] SET VALUE=NULL where NAME = 'ims.ldap-slots.2.username'\r\nUPDATE &#x5B;RSA].&#x5B;dbo].&#x5B;IMS_CONFIG_VALUE] SET VALUE=NULL where NAME = 'ims.ldap-slots.2-global.username'\r\n<\/pre>\n<p>The SQL Update command returns how many rows affected:<br \/>\n<code><br \/>\n(1 row(s) affected)<\/code><br \/>\n<code><br \/>\n(1 row(s) affected)<br \/>\n<\/code><code><br \/>\n(1 row(s) affected)<br \/>\n<\/code><code><br \/>\n(1 row(s) affected)<br \/>\n<\/code><br \/>\nRestart the SSO Service by typing the following commands<br \/>\n<code><br \/>\nnet stop ssotomcat<br \/>\nnet start ssotomcat<br \/>\n<\/code><br \/>\nand try to login to vCenter with a user from the just added domain.\u00a0 Use DOMAIN\\USER as format for the username.<\/p>\n<p>If this post this is useful for you or if you have a better approach please let me know these by adding a comment.<\/p>\n<p>Have fun Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attention: If plan a update to VMware vSphere\/vCenter 5.1.0 Update 1. Currently this version contains a bug which prevents User from Login. VMware is working on an Fix. See KB2050941 =&gt; Bug is solved in 5.1.0 Update 1a Hi everybody, since VMware vCenter 5.1 a new service SSO, the Single Sign On Service,\u00a0 handles the &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/vmware-vcenter-howto-add-a-active-directory-domain-as-identity-source-using-session-credentials\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">VMware vCenter: Howto add an Active Directory Domain as SSO Identity Source and using system session credentials<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[95,96,99,89,88,94,97,92,29,90,87,98,93,91,86,14],"class_list":["post-396","post","type-post","status-publish","format-standard","hentry","category-vmware","tag-active-directory","tag-authentication","tag-credentials","tag-error","tag-gssapi","tag-ldap","tag-netbios-domain-name","tag-password","tag-reuse","tag-session","tag-sso","tag-system","tag-type","tag-username","tag-vcenter","tag-vmware-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=396"}],"version-history":[{"count":78,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/396\/revisions"}],"predecessor-version":[{"id":949,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/396\/revisions\/949"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}