VIDEO: New vSphere 4.1 Windows Active Directory Authentication

by David Davis on July 13, 2010


With the VMware vSphere 4.1 release there are lots of new features to talk about! One of those features that caught my eye is the ability for ESX/ESXi servers to “join” a Windows Active Directory (AD) domain. That’s right, an ESX server can be a member server in AD. That means that you can then login to that ESX host using your Winodws AD username and password. This applies when connecting to the server using the vSphere Client, going to the console, or connecting via SSH. This is also a nice security function because instead of logging on locally as “root”, now each user can login as themselves (and that entry will be made in the associated security logs).

Here’s a new video I created on how to configure this cool new vSphere 4.1 feature – Windows Active Directory Authentication.

{ 18 comments… read them below or add one }

Doug Davis 07.13.10 at 9:46 am

Great new feature & great video on how to configure it. How do you configure sudo for domain users to save everyone knowing the root password?

Doug Davis 07.13.10 at 10:38 am

Found out how to do this eventually – just need to do an ‘id’ command on the host to see the way the AD groups you are a member of are listed, then add the AD group to the sudoers file.

Kenneth Davis 07.14.10 at 10:39 am

Do you think this new feature will impact the decision of having physical or virtual domain controllers? or should that be a non issue?

Rich Newton 07.14.10 at 11:34 am

Does this feature work on ESX and ESXi 4.1?

David Davis 07.14.10 at 1:46 pm

Hi All,
Thanks for the comments!

To answer the questions one at a time…
1. Doug – Thanks for your comment and follow up on how to configure this! Glad you liked the video!
2. Kenneth – No, I don’t think that this has any anything to do with DC’s really… This just allows an ESX or ESXi server to be an AD member server and it allows you to use your AD credentials when administering the server locally.
3. Rich – According to VMware, YES, it works with ESX AND ESXi. I had some issues with ESXi in my beta and that was why I didn’t demo it with ESXi or mention it too much but, according to VMware, it should be working with ESXi and the GA version of 4.1

Thanks for watching!
-David

Kenneth Davis 07.14.10 at 7:43 pm

Does this work if you are using a standalone box with just vi client? I was ale to join my domain but I didn’t see where I could add my domain users or group

David Davis 07.15.10 at 12:18 pm

Hi Kenneth,
Thanks for your post!
Great Question!
I need to test this with a standalone ESXi server. The default group for authentication that should be created when you join the ESXi host is “ESX Admins”. Check your AD DC to see if that group was created. From there, you would just add the appropriate AD users to that group to make them ESXi admins on the standalone server (that’s the THEORY at least).
I’ll do some more testing on this.
Thanks!
-David

Marc 08.24.10 at 9:19 pm

Thank you for the video. I enjoyed it.

Ravinder Kumar 08.29.10 at 4:57 am

Hi David,
Thanks for this video, whcih guide throgh how to AD Authentication works with ESX 4.1. I just down loaded ESXi 4.1 and follow the same steps as you shown in video and it works perfectly. Once again thankyou so much for sharing such informative video.

berry 08.30.10 at 5:49 am

Thanks for the video! Hope you can advise/help me on this one: when i use a AD account to login with VI it works, when i login with putty/ssh the machine crashes. Somebody any ideas?

Kirby 09.03.10 at 5:43 pm

I have the exact same problem as berry does. Authenticate with userid@domain.com it crashes. If I just use userid without the domain.com it says access denied.

Kirby 09.17.10 at 10:10 am

VMWare tech support directed me to this KB article. This is a known problem if your AD id is a member of more the 32 groups. They have a fix but have not released it to the general public. Trying to get the patch now.
http://kb.vmware.com/kb/1026321

Prashanth 09.26.10 at 6:10 pm

Hi Davis,
Great video. Do we really need to explicityly call the group as ESX admins? (Security-folks don’t like that?)

Is ESX Admins, hardcoded in ESX 4.1 host? It’s not listed in local groups of the host (while connected via vsphere), yet it’s displayed under the permissions tab even without manually adding the group.

If I created a group called anything else(eg:hostadmins) other than ‘ESX Admins’, that group needs to be explicity added to the local host.

Though, creating ESX admins or any other group, the connection experience is same, the difference would be adding the group explicityly to the host (hostadmins)

Cheers
Prashanth

Graham 09.27.10 at 9:32 pm

Good stuff, is it still possible to use the root login to access an ESX host if AD is unavailable, when directory services is configured as the default authentication method?

David Davis 09.29.10 at 8:53 am

About the “ESX Admins” group, let me offer some clarification from Maishsk over at Technodrone and from Rapael Schitz at Hypervizor.fr:

*** Update ***

I would like to also point out the what Raphael Schitz posted on his blog regarding the ESX Admins group and how this group automatically has access to the host just added to the domain. Thanks for pointing this out

By default, the ESX host assigns the Administrator role to the “ESX Admins” group.
If the group does not exist when the host joins the domain, the host will not assign the role.
In this case, you must create the “ESX Admins” group in the Active Directory.
The host will periodically check the domain controller for the group and will assign the role when the group exists.

Prashanth 10.02.10 at 7:29 am

Graham,
Yes, even though the host cannot reach the Domain controller you can still login with the root account or other accoutns which are local to the host.(obviously AD accounts cannot be used,unless they are cached on)

cheers
Prashanth

Amit Sharma 11.30.10 at 5:18 pm

Thanks for the Video David. You always do a great job

Around 2:04 you said entry for ESX on the domain controller whereas its in the DNS :)

just wanted to mention to avoid confusion it might cause to some folks.

Manasa 03.05.12 at 3:15 am

Is the information about this stored in some file ? I want to get the collect the data if the active directory is configured.Is it stored in some variable or file from which I can read the setting information ?

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: