VMWare

Configuring Active Directory as Identity Source for use with SSO 6.0

Posted by Jones Babu on

Configuring Active Directory as Identity Source for use with SSO 6.0 can be done in 2 ways

a. Use the Machine Account(Any AD Account)

b. Use with Service Principal Name

The below is the step-by-step procedure for configuring via Service Principal Name

Prerequisite:

1. A domain account with domain administrator privileges is required when assigning a SPN to an account.

2. A domain account with domain user privileges is a minimum requirement for the account to be used as the SPN account.

b

3. You need access to vCenter Server running on a Windows platform or a Windows system connected to the same domain as vCenter Server Appliance.

Creating an SPN for use with SSO 6.0 :

Validation :
To verify that an SPN does not already exist on the account to be used:

Type the following command to verify that no other SPNs have been created on this domain for

setspn -Q sts/DNS_domain_name

For example:

C:\>setspn -Q STS/lab.local

You see output similar to:

No such SPN Found.

1. Log in to vCenter Server using a domain administrator account.

Note: If using the vCenter Server Appliance 5.1 (VCSA), these actions can be performed on a Windows workstation joined to the same domain as the VCSA.

2. Open an elevated command prompt. For more information, see Opening a command or shell prompt

3. Type the following command and press enter

setspn -S sts/DNS_Domain_name Domain_User_account

For example:

C:\>setspn -S STS/lab.local SSOServiceAccount

You see output similar to:

a

Notes:
If a duplicate SPN is found, check your Active Directory administrator for deleting the SPN.
You must use the SPN name STS so that the Identity Source is created.

Configuring Active Directory Identity Source for use with SSO 6.0

1.Log in to the vSphere Web Client as administrator@vsphere.local or as another user with SSO administrator privileges.

2.Navigate to Administration > Single Sign-On > Configuration. c
3.In the Identity Sources tab, click the Add Identity Source icon  under the option menu.
d
4.Click Active Directory (Integrated Windows Authentication).

5.Select the Use SPN option.

6.Enter these information:

Domain name: DNS_Domain_name
Service Principal Name (SPN): STS/DNS_Domain_name
User Principal Name (UPN): Domain User assigned SPN@DNS_Domain_name.com
Password: Password

For example:

e
Domain name: lab.local
Service Principal Name (SPN): STS/lab.local
User Principal Name (UPN): SSOServiceAccount@lab.local
Password: Achieve@2016

Leave a comment