Working with (Active Directory) service accounts for the vSphere integration of VMware products (NSX as an example)

Introduction

With the deployment of vSphere products a lot of integration is happening towards the vSphere environment to work together with the vCenter inventory. The easiest way for integration is to use “local” user accounts. Or accounts that are “local” to the SSO domain specified in the Platform Services Controller. From a manageability and security perspective this is probably not the best thing to do. Thats why a lot of companies are using special “service accounts” on a per product basis. So different service accounts are used to integrate different products (that can be either 3rd party or other VMware products).

How does this work?

vSphere (and the Platform Services Controller (PSC) in particular) is capable of adding external sources to authenticate against. This integration can be done in two ways:

  • By logging into the vCenter Server using the vSphere Web Client
  • * https://<vcenter-ip-fqdn>/vsphere-client
  • * Administrator —> Configuration —> Identity Sources
  • By logging into the Platform Services controller Management console
  • * https://<psc-ip-fqdn>/pcs
  • * Configuration —> Identity Sources

vCenter Server

Service-account-01.png

Platform Services Controller

Service-account-02.png

Integrating vSphere with Active Directory

I will use the PSC’s web client to add in the Active Directory server in. I have created one Active Directory Group and two Active Directory Users and placed these users into the group.

Group

  • vCenterAdmins

Users

  • iwan
  • svc-nsxmanager

Adding AD users to an AD group

Service-account-03.png

Service-account-04.png

Adding a domain to the PSC

Service-account-05.png

After this change a reboot is required of the PSC then we can add an Identity Source

Service-account-06.png

When we look at the users and select the domain of AD

Service-account-07-02.png

Now we need to add the AD groups (with the two users inside) to the administrator Group.

Service-account-08.png

Service-account-09-02.png

Integrate NSX with vSphere

Now lets integrate NSX with vSphere using the service account “svc-nsxmanager”.

Service-account-10.png

Lets also integrate the PSC using this same service account

Service-account-11.png

And this works as well…

Lets try to log in to vCenter with the vSphere Web Client using my normal account “iwan” I am NOT able to see the NSX Manager in the Network & Security section of vCenter. This is because my “user” Iwan does not have rights on the NSX Manager.

Service-account-12-02.png

In order to fix this I will log in to to vCenter with the vSphere Web Client using the service account “svc-nsxmanager”.

Service-account-13-02.png

I will add the “AD” group named “vCenterAdmins” as an Enterprise Administrator (in the NSX Manager). My user “iwan" is a member of “vCenterAdmins” so this should work.

NOTE: MAKE SURE THE DOMAIN + GROUP NAME (OR USER) IS SPELLED CORRECTLY OTHERWISE IT WILL NOT WORK.

Service-account-16.png

Lets try to log in to vCenter with the vSphere Web Client using my normal account “iwan” again.

Service-account-17.png

Summary

  1. It is the PSC that effectively does integration with AD
  2. This is done trough vCenter Server (with adding an AD identity source) or trough the admin section of the Platform Services Controller
  3. Once this is done you are able to see AD users and groups in the Platform Services Controller and the vCenter Server
  4. The service account can now be used immediately (after the AD group that contains the service account was added to the vSphere Administrators "roles" section)
    1. This service account will get the “role” that is typically the “Administrator” role to do normal vCenter administration tasks
    2. one of these “tasks” is integrating the NSX manager to vCenter
  5. When the service account is used in the NSX Manager this account is also added in the NSX Manager as an “Enterprise Administrator”
    1. This integration is typically done with the “administrator@vsphere.local” account (in our home labs ;-) )
  6. When you log in to the vSphere Web Client with this service account the NSX Manager is visible and you are able to manage it
  7. When you log in with another AD account (in my case “iwan”) I was not able to see / manage the NSX Manager
    1. when the service account is used for the NSX to vCenter integration you need to log into the vSphere client with this service account and only then you will be able to see the NSX manager and manage the NSX environment
  8. To make this happen I have added I have added the AD group to the NSX Manager (paypoint.dc\vCenterAdmins)
    1. Because this AD group is already added to the vCenter Administrator roles be don't need to do anything else
  9. AD users that you want to use (or AD groups that contain AD users) to log in to vCenter will need to have a vCenter “role” assigned
  10. To manage the NSX environment you still need to add the AD account or AD groups to the NSX manager and assign it to the NSX Enterprise Administrator role (which is different from the vCenter roles)
  11. After this I was able to log in with my “iwan” account (non service) and see / manage the NSX Manager