How to Join the vCSA 6.5 to an Active Directory Domain

In vSphere 6.5 the underlying operating system from the vCenter Server Appliance (vCSA) has been changed to VMwares PhotonOS. With the new OS, you can still join an Active Directory domain to comply with company policies, or if you want to use windows session authentication. Joining an Active Directory domain is included in the infrastructure node configuration which is part of the Platform Services Controller. Please verify standard AD requirements like time synchronization and naming prior to joining a domain.

If you want to log in with the "Windows session authentication" checkbox, you have to add the appliance running the Platform Services Controller (PSC) to the domain. For embedded deployments, join the appliance running both, the vCenter and the PSC to the domain.

Join AD Domain with the vSphere Web Client

1. Open vSphere Web Client (https://[vcenter]/vsphere-client)

2. Login as Single Sign-On Administrator or a user with global permissions.

3. Navigate to Administration > Deployment > System Configuration
   
   

4. Open Nodes and select the vCenter or external PSC

   

5. Navigate to Manage > Settings > Advanced > Active Directory and click Join...

   

6. Enter AD domain information

   

7. Press OK

8. You don't see the configured domain immediately, you have to reboot the Appliance.

   Hint: You can reboot infrastructure nodes from the context menu
   
   When the appliance is back online it is part of the Active Directory domain

Join AD Domain from the Command Line

1. (optional) Enable SSH login

   vSphere Web Client > Administration > Deployment > System Configuration > Nodes > Manage > Settings > Access 
   

2. Connect to the vCenter Server Appliance with SSH

3. Activate the bash shell

   Command> shell

4. Use the domainjoin-cli tool to join the domain

   # /opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]

   

5. Reboot the appliance

   # reboot

   When the appliance is back online it is part of the Active Directory domain

Verify Domain Status

Verify domain status from the domain controller

Verify domain status with the vSphere Web Client

Verify domain status from vCSA command line:

# /opt/likewise/bin/domainjoin-cli query

How to add AD Authentication in vCenter 6.5

The vCenter Server has an internal user database that allows you to add and manage users with the vSphere Web Client. Users management and Single Sign-On is provided by the Platform Service Controller which is available since vSphere 6.0. In a large environment, you might want to connect your virtualization infrastructure to a centrally manage Active Directory.

This article explains how to add AD authentication in vSphere 6.5 and how to get the "Use Windows session authentication" checkbox to work with the enhanced authentication plugin. This works for both, the vCenter Server 6.5 installed on a Windows Server and the vCenter Server Appliance (vCSA).

1. Open vSphere Web Client (https://[vcenter]/vsphere-client)

2. Login as Single Sign-On Administrator (Password set during installation)

3. Navigate to Administration > Single Sign-On > Configuration
    
   

4. Open the Identity Sources tab

5. Click the green + to add an identity source

   

6. Select Identity Source Type:

   A) Active Directory (Integrated Windows Authentication)
   This option works with both, the Windows-based vCenter Server and the vCenter Server Appliance. The underlying system has to be a member of the Active Directory domain. (To join the vCSA to an AD, read  post.)
   
   B) Active Directory as a LDAP Server
   If the underlying system is not part of the Active Directory domain.
   Fill out the remaining fields as follows:

   Name: Label for identification

   Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is virten.lab the DN for the entire directory is "DC=virten,DC=lab".
   Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
   Domain name: Your domain name. Example: "virten.lab"
   Domain alias: Your NetBIOS name. Example: "virten"
   Username: A user in the AD Domain with at least browse privileges. Example virten\vcentersso

   Select "Connect to any domain controller in the domain" of you want to use DNS to identify domain controllers or configure static primary and secondary URLs. When using static entries, you can either query the local directory (Port 389), or the global catalog (Port 3268).

   Example: "ldap://dc01.virten.lab:3268"
   

7. Click Next and finish the configuration wizard
   

8. Back at Identity Sources your AD should appear in the list and from now on you are able to assign vCenter permissions to users and groups from your active directory.

9. Select you Active Directory and click the world with arrow button to make AD to your default domain.
   

10. To login with AD users, you have to set permissions. To add a AD user as global Administrator navigate to Administration > Access Control > Global Permissions
    
    

11. Click Add permission

    

12. Click Add...

13. Select the Active Directory domain under Domain, choose a user and press Add

    

14. Press OK twice

You should now be able to login to the vCenter 6.5 with your Active Directory account.

Use Windows session authentication

The "Use Windows session authentication" checkbox is disabled unless the Enhanced Authentication Plugin is installed. You can find the download link at the bottom of the login screen.

The vCenter Single Sign-On server is not currently joined to any domain.

When the following message is displayed:

The vCenter Single Sign-On server is not currently joined to any domain. You cannot complete the current operation.

Join the underlying operating system to an Active Directory domain or use  to add the vCenter Server Appliance is an AD.

本文转自学海无涯博客51CTO博客，原文链接http://blog.51cto.com/549687/1932682如需转载请自行联系原作者

520feng2007