Wednesday, April 25, 2018

authenticate-to-vcenter-from-active-directory-credentials

Authenticate to vCenter from Active Directory credentials


By default, when you install vCenter, a SSO domain is deployed. When you authenticate on vCenter, you use an identity from this SSO Domain. vCenter can also use identities from other identity sources such as Active Directory and LDAP. Thanks to Active Directory, you can create groups, assign them to vCenter roles and then manage accesss from Active Directory. In this topic, we’ll see how to authenticate to vCenter from Active Directory credentials.

Add identity source

To be able to authenticate to vCenter with Active Directory, you have to add an identity source. To add an identity source, navigate to Administration | Single Sign-On | Configuration. Click on the add button.
Then select Active Directory (Integrated Windows Authentication).
In the next screen, the wizard tells you that you cannot add this identity source because the vCenter Single Sign-On server is not joined to a domain. So, click on Go to Active Directory Management to join the vCenter SSO server to the domain.
Next, click on join.
Then specify a domain, an OU and credentials to join the vCenter to the domain.
Next restart the vCenter server. When it is online again, you should be joined to the Active Directory Domain.
Next go back to to Administration | Single Sign-On | Configuration. Click on the add button. Then select Active Directory (Integrated Windows Authentication). Now the wizard sets automatically the domain name. Just click on next.
After you have reviewed the settings, you can click on finish to add the identity source.
Once you have added the identity source, you should have its information in the table as below.

Use Active Directory users and groups in vCenter

Now that vCenter can use Active Directory accounts to authenticate, you can browser users and groups. Navigate to Users and Groups tab. In domain menu, select your domain. You should get all the user of the domain.
In the Active Directory console, I have created a group called GG-VMwareAdmins. The account Romain Serre is a member of this group.
Next go back to vCenter and select groups tab. Select the Administrators group and click on add member.
Then select your domain and specify the name of the group in search field. Once you have found your group, just click on Add and OK.
Now the GG-VMwareAdmins Active Directory group is member of Administrators vCenter group.
From the authentication page, specify an account member of the Active Directory group.
If the configuration is good, you should be logged into vCenter as below.

Activate Windows Session Authentication

VMware provides an authentication plugin to use the Windows session login to authenticate to vCenter. The below screenshots come from Firefox. Open the browser and navigate to the vCenter authentication page. Then in the footer of the page, click on Download Enhanced Authentication plugin.
Once you run the installer, you have a warning saying that all other plug-in instances will be stopped. Just click on OK.
Next the wizard says to you that two plug-ins will be installed: the VMware Enhanced Authentication Plug-in and VMware Plug-in Service installers. Click on OK.
Foreach plug-in, follow the process to install it.
When both plug-ins are installed, close and open the web browser. Next, open again the vCenter authentication page. You should have the below popup. Click on Remember my choice for vmware-plugin links and click on Open link.
Next, you are able to check Use Windows session authentication. When you check the box, the below pop-up appears. Click on Allow.
Now you can use the Windows session credentials to authenticate to vCenter.

Conclusion

The authentication from Active Directory brings a valuable way to manage and segregate rights. Almost all companies have an Active Directory to manage authentication and authorization centrally. Thanks to Active Directory, vCenter authentication and authorization can also be managed from this service. This enables to increase the security level because vCenter is not managed alone anymore and it is integrated into the overall company security policies (such as password length, expiration and so on).
Posted by at No comments:

Wednesday, April 18, 2018

vSphere 6.5 -What’s New with vSphere 6.5 HA & DRS

vSphere 6.5 -What’s New with vSphere 6.5 HA & DRS 
Yesterday (18-OCT-2016) during VMworld Barcelona 2016,  vSphere 6.5 has been announced during the General session. vSphere 6.5 released with lot of new features that most of them were waiting for. vSphere 6.5, the latest version of its industry-leading virtualization platform.  This new release of vSphere features a dramatically simplified experience, comprehensive built-in security, and a universal app platform for running any app. As usual with the release of each vSphere version,It continues to provide the best availability and resource management features for business critical application workloads. vSphere 6.5 also added new and improved features. We will talk about new features available with vSphere 6.5 HA & DRS. 
  • Proactive HA 
  • vSphere HA Orchestrated Restart 
  • Simplified vSphere HA Admission Control 
  • Network Aware DRS 
  • DRS Advanced options 
What’s new with vSphere 6.5 HA? 
Proactive HA 
vSphere 6.5 HA now also detect the hardware conditions of the ESXi host and allow you to evacuate the Virtual machines before the hardware issues cause an outage to VM’s with the help of Proactive HA. This work in conjunction with hardware vendors monitoring solutions to receive the health status of the hardware components such as memory, fans and power supplies. You can configure vSphere to respond according to the failure of hardware components. 
If any hardware components is failed and it is marked as unhealthy by hardware monitoring, vSphere will classify the affected ESXi host as either moderately degraded or severely degraded based on the component failure. vSphere will place that affected ESXi host into new state called “Quarantine Mode”. 
In the Quarantine Mode, DRS will not use the ESXi host for new Virtual machine placements and also DRS will attempt to evacuate the host as long as it would not cause performance issue. You can also configure proactive HA to place the degraded ESXi hosts into Maintenance mode which perform the vMotion of Virtual machine to other healthy ESXi hosts in the cluster. 
vSphere HA Orchestrated Restart 
With the help of vSphere 6.5 HA orchestrated Restart option, We can define the virtual machine to Virtual Machine dependency chains. These dependency rules are enforced when vsphere HA restart VM’s from the failed ESXi hosts. This option is really useful to recover the multi-tier applications that it needs to be brought up in particular order. for example, DB VM needs to brought first and followed by app VM and the by Web VM. 
Simplified vSphere HA Admission Control 
Lot of new improvements to vSphere 6.5 HA Admission control has been made for simplified administration. Admission control is used to set aside a calculated amount of resources that are used in the event of a host failure. 
Cluster Resource Percentage : Simply define the Number of ESXi hosts tolerate for failures. vSphere HA will automatically calculate a percentage of resources to set aside by applying the “Percentage of Cluster Resources” admission control policy. It is automatically recalculated, if you have added or removed ESXi hosts in the cluster. 
vSphere 6.5 HA 
Possible Override : You can override the default CPU and memory settings if needed. This option also automatically recalculated if you add or removed ESXi host from the cluster based on its override Percentage. 
Performance Degradation VMs Tolerate : vSphere Web Client will issue a warning if vSphere HA detects a host failure would cause a reduction in VM performance based on the actual resource consumption, not only based on the configured reservations. The administrator is able to configure how much of a performance loss is tolerated before a warning is issued. 
 
  
Posted by at No comments:
Subscribe to: Posts (Atom)