vRealize Automation 7 – Authentication
January 13, 2016In order to setup Active Directory Integrated Authentication, we must login to our default tenant again but this time as our “Tenant Administrator” (we setup in the previous post) instead of the system administrator account that is created during initial setup.
Once you’re logged in, click the Administration tab –> Directories Management –> Directories and then click the “Add Directory” button. Give the directory a descriptive name like the name of the ad domain for example. Then select the type of directory. I’ve chosen the “Active Directory (Integrated Windows Authentication)” option. This will add the vRA appliance to the AD Domain and use the computer account for authentication. Note: you must setup Active Directory in the default (vsphere.local) tenant before it can be used in the subtenants.
Next choose the name of the vRA appliance for the “Sync Connector” and select “Yes” for the Authentication. I’ve chosen sAMAccountName for the Directory Search Attribute. After this, we need to enter an account with permissions to join the vRA appliance to the Active Directory Domain. Lastly, enter a Bind UPN that has permissions to search Active Directory for user accounts. Click “Save and Next”.
Now, select the domain you just added. Click Next.
Now we can map vIDM properties to your active directory properties. The properties I used are shown in the screenshot below. I tweaked the default values a tad bit, but for the most part, all of the properties were already mapped correctly to start with.
Now we enter a Distinguished Name to search for groups to sync with. I chose the root DN for my domain, and selected all of the groups. Click Next.
I repeated the process with user accounts. Click Next.
The next screen shows you details about the user and groups that will be synced. You can edit your settings or click “Sync Directory” to complete the setup.
Summary
In this post, we’ve added an external identity source to sync logins with. This is much more preferable than adding local user accounts and having to make your users remember multiple accounts. In future posts, we’ll add these users to business groups, tenant administrators, fabric administrators and other custom groups.
Great job! Keep it on!
Hi there,
Awesome guide on vRA 7. Getting an ‘Access Denied, You do not have access to this service. Contact your administrator for assistance’ error when logging into the portal using domain users/admins even after adding the group to the tenant and IAAS admin groups and to various business groups etc. Login using local acounts is fine and searching domain users works a treat.
Any ideas? Cheers
Be sure that your time sync is set to the same NTP server on the IaaS and vRA appliances. Then I’d make sure the Identity Manager is synching correctly.
Thanks for reading!
Hi Eric,
Thank you for getting back to me. A combination of adding the IAAS server to the domain admins group in AD and changing the time zone on the appliance worked a treat. Thank you!!
Can the same task be done with workflow in Orchestrator?
I’m not sure what you’re looking to do.
Setup the authentication settings with a vRO workflow?
Can “Sync Now” task can be automated using orchestrator?
I want the “Sync Now” task to be trigger when the workflow is executed…………..
Can u help me in this?
Did u ever find a way to solve this?
Yes it can be automated. You an run update identity mangager workflow and it will sync the directory
Hi Eric,
great post, thank you very much for that.
i have the same access denied problem with VRA7. i set the NTP server on the VRA appliance to our DC. the IaaS server is a member of the domain so it has the DC as its NTP server by default and i also added the server computer account to the domain admins group but i still get the same error everytime i am tryin to login with one of the domain users that are set as the tenant or the IaaS admins. any other idea?
Thanks!
Hi Eric
We have been facing a issue where we setup CN pointers to a Group, but the “select all” seems to be deselected every time a New Group has been made/found.
Anyone experienced the same, or have a sollution to this?
This is sheduled to be fixed in 7.3
Mark – I stood up my first medium install (2 of everything), I’m creating an LDAP connector and I chose ‘primary vRA appliance’ to handle authentication. What do you do for a second connector for the other vRA appliance? Can’t find much on that.
Steve
HI,
Great post, and I have a question is possible to have the same AD domain to be added on two different tenants ?
Thanks.
You should be able to do this.
When I set mine up, I to the default tenant and then my (real) subtenant and it works fine. It should be the same idea. Just be sure to do the top level tenant first.