Working with (Active Directory) service accounts for the vSphere integration of VMware products (NSX as an example)
With the deployment of vSphere products a lot of integration is happening towards the vSphere environment to work together with the vCenter inventory. The easiest way for integration is to use “local” user accounts. Or accounts that are “local” to the SSO domain specified in the Platform Services Controller. From a manageability and security perspective this is probably not the best thing to do. Thats why a lot of companies are using special “service accounts” on a per product basis. So different service accounts are used to integrate different products (that can be either 3rd party or other VMware products).
How does this work?
vSphere (and the Platform Services Controller (PSC) in particular) is capable of adding external sources to authenticate against. This integration can be done in two ways:
- By logging into the vCenter Server using the vSphere Web Client
- * https://<vcenter-ip-fqdn>/vsphere-client
- * Administrator —> Configuration —> Identity Sources
- By logging into the Platform Services controller Management console
- * https://<psc-ip-fqdn>/pcs
- * Configuration —> Identity Sources
Platform Services Controller
Integrating vSphere with Active Directory
I will use the PSC’s web client to add in the Active Directory server in. I have created one Active Directory Group and two Active Directory Users and placed these users into the group.
Adding AD users to an AD group
Adding a domain to the PSC
After this change a reboot is required of the PSC then we can add an Identity Source
When we look at the users and select the domain of AD
Now we need to add the AD groups (with the two users inside) to the administrator Group.
Integrate NSX with vSphere
Now lets integrate NSX with vSphere using the service account “svc-nsxmanager”.
Lets also integrate the PSC using this same service account
And this works as well…
Lets try to log in to vCenter with the vSphere Web Client using my normal account “iwan” I am NOT able to see the NSX Manager in the Network & Security section of vCenter. This is because my “user” Iwan does not have rights on the NSX Manager.
In order to fix this I will log in to to vCenter with the vSphere Web Client using the service account “svc-nsxmanager”.
I will add the “AD” group named “vCenterAdmins” as an Enterprise Administrator (in the NSX Manager). My user “iwan" is a member of “vCenterAdmins” so this should work.
NOTE: MAKE SURE THE DOMAIN + GROUP NAME (OR USER) IS SPELLED CORRECTLY OTHERWISE IT WILL NOT WORK.
Lets try to log in to vCenter with the vSphere Web Client using my normal account “iwan” again.
- It is the PSC that effectively does integration with AD
- This is done trough vCenter Server (with adding an AD identity source) or trough the admin section of the Platform Services Controller
- Once this is done you are able to see AD users and groups in the Platform Services Controller and the vCenter Server
- The service account can now be used immediately (after the AD group that contains the service account was added to the vSphere Administrators "roles" section)
- This service account will get the “role” that is typically the “Administrator” role to do normal vCenter administration tasks
- one of these “tasks” is integrating the NSX manager to vCenter
- When the service account is used in the NSX Manager this account is also added in the NSX Manager as an “Enterprise Administrator”
- This integration is typically done with the “firstname.lastname@example.org” account (in our home labs ;-) )
- When you log in to the vSphere Web Client with this service account the NSX Manager is visible and you are able to manage it
- When you log in with another AD account (in my case “iwan”) I was not able to see / manage the NSX Manager
- when the service account is used for the NSX to vCenter integration you need to log into the vSphere client with this service account and only then you will be able to see the NSX manager and manage the NSX environment
- To make this happen I have added I have added the AD group to the NSX Manager (paypoint.dc\vCenterAdmins)
- Because this AD group is already added to the vCenter Administrator roles be don't need to do anything else
- AD users that you want to use (or AD groups that contain AD users) to log in to vCenter will need to have a vCenter “role” assigned
- To manage the NSX environment you still need to add the AD account or AD groups to the NSX manager and assign it to the NSX Enterprise Administrator role (which is different from the vCenter roles)
- After this I was able to log in with my “iwan” account (non service) and see / manage the NSX Manager