VMware VS4-ENT-PL-A Setup Guide - Page 88
Active Directory Identity Source Settings, What to do next, Table 4
View all VMware VS4-ENT-PL-A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 88 highlights
vSphere Installation and Setup Option OpenLDAP LocalOS Description Use this option for an OpenLDAP identity source. See "Active Directory LDAP Server and OpenLDAP Server Identity Source Settings," on page 89. Use this option to add the local operating system as an identity source. You are prompted only for the name of the local operating system. If you select this option, all users on the specified machine are visible to vCenter Single Sign-On, even if those users are not part of another domain. NOTE If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain will fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. This is the default Active Directory domain configuration for user permissions. VMware recommends using a special service user. 5 If you configured an Active Directory as an LDAP Server or an OpenLDAP identity source, click Test Connection to ensure that you can connect to the identity source. 6 Click OK. What to do next When an identity source is added, all users can be authenticated but have the No access permission. A user with vCenter Server Modify.permissions privileges can assign permissions to users or groups of users to enable them to log in to vCenter Server. See "Assign Permissions in the vSphere Web Client," on page 89. Active Directory Identity Source Settings If you select the Active Directory (Integrated Windows Authentication) identity source type, you can either use the local machine account as your SPN (Service Principal Name) or specify an SPN explicitly. Select Use machine account to speed up configuration. If you expect to rename the local machine on which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable. Table 4‑1. Add Identity Source Settings Field Domain name Use machine account Use SPN Service Principal Description FDQN of the domain. Do not provide an IP address in this field. Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine. Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user. SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com. You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn. The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created. 88 VMware, Inc.