vRealize Automation 7 – Authentication

vRealize Automation 7 – Authentication

In order to setup Active Directory Integrated Authentication, we must login to our default tenant again but this time as our “Tenant Administrator” (we setup in the previous post) instead of the system administrator account that is created during initial setup.

Once you’re logged in, click the Administration tab –> Directories Management –> Directories and then click the “Add Directory” button. Give the directory a descriptive name like the name of the ad domain for example. Then select the type of directory. I’ve chosen the “Active Directory (Integrated Windows Authentication)” option. This will add the vRA appliance to the AD Domain and use the computer account for authentication. Note: you must setup Active Directory in the default (vsphere.local) tenant before it can be used in the subtenants.

Next choose the name of the vRA appliance for the “Sync Connector” and select “Yes” for the Authentication. I’ve chosen sAMAccountName for the Directory Search Attribute. After this, we need to enter an account with permissions to join the vRA appliance to the Active Directory Domain. Lastly, enter a Bind UPN that has permissions to search Active Directory for user accounts. Click “Save and Next”.


Now, select the domain you just added. Click Next.vra7Domain2

Now we can map vIDM properties to your active directory properties. The properties I used are shown in the screenshot below. I tweaked the default values a tad bit, but for the most part, all of the properties were already mapped correctly to start with.


Now we enter a Distinguished Name to search for groups to sync with. I chose the root DN for my domain, and selected all of the groups. Click Next.vra7Domain4

I repeated the process with user accounts. Click Next.vra7Domain5

The next screen shows you details about the user and groups that will be synced. You can edit your settings or click “Sync Directory” to complete the setup.



In this post, we’ve added an external identity source to sync logins with. This is much more preferable than adding local user accounts and having to make your users remember multiple accounts. In future posts, we’ll add these users to business groups, tenant administrators, fabric administrators and other custom groups.

15 Responses to vRealize Automation 7 – Authentication

  1. Hi there,

    Awesome guide on vRA 7. Getting an ‘Access Denied, You do not have access to this service. Contact your administrator for assistance’ error when logging into the portal using domain users/admins even after adding the group to the tenant and IAAS admin groups and to various business groups etc. Login using local acounts is fine and searching domain users works a treat.

    Any ideas? Cheers

    • Be sure that your time sync is set to the same NTP server on the IaaS and vRA appliances. Then I’d make sure the Identity Manager is synching correctly.
      Thanks for reading!

      • Hi Eric,

        Thank you for getting back to me. A combination of adding the IAAS server to the domain admins group in AD and changing the time zone on the appliance worked a treat. Thank you!!

  2. Can “Sync Now” task can be automated using orchestrator?
    I want the “Sync Now” task to be trigger when the workflow is executed…………..
    Can u help me in this?

  3. Hi Eric,

    great post, thank you very much for that.
    i have the same access denied problem with VRA7. i set the NTP server on the VRA appliance to our DC. the IaaS server is a member of the domain so it has the DC as its NTP server by default and i also added the server computer account to the domain admins group but i still get the same error everytime i am tryin to login with one of the domain users that are set as the tenant or the IaaS admins. any other idea?

  4. Hi Eric

    We have been facing a issue where we setup CN pointers to a Group, but the “select all” seems to be deselected every time a New Group has been made/found.

    Anyone experienced the same, or have a sollution to this?

  5. Mark – I stood up my first medium install (2 of everything), I’m creating an LDAP connector and I chose ‘primary vRA appliance’ to handle authentication. What do you do for a second connector for the other vRA appliance? Can’t find much on that.


    • You should be able to do this.
      When I set mine up, I to the default tenant and then my (real) subtenant and it works fine. It should be the same idea. Just be sure to do the top level tenant first.

Leave a reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.