Nested Home Lab – Part 5 – Adding an Active Directory identity source to your PSC / VCSA

Since the aim in these posts is to make a simple lab environment that you can use to test various scenarios, we’ll also want to have domain authentication set-up. However the lab will still run without domain authentication and you can use local user accounts. I personally prefer to enable domain authentication.

Remember, DNS is a very important part of Identity, so if you run into issues you might want to add that to your trouble shooting.

This part of the guide can be taken on its own but is based on a separate Platform Services Controller and vCenter Server Appliance.

1.   Browse to the vSphere client, accepting any security errors (https://vcsa.domain:9443/vsphere-client), and login using administrator@your.vmwaredomain. In my case I left the SSO domain name as the default. administrator@vsphere.local. 

2.   Browse to Administrator, then System Configuration and select your PSC

3.   Select Active Directory and click Join.

4.   Enter in the details for a Domain a user account that has permissions to join computer to the domain. Note: The user account format has to be @. Click OK when done.

5.   Once this has completed (without any errors) reboot the PSC. Right click on the node and select Reboot.

6.   Enter in a reason for rebooting the node if you want (I prefer to do this. Its a good habit to get into) and click OK. Rebooting the PSC will not mess up your VCSA session but will take about 5 mins or so.

7.   Once its back, refresh the page. You might need to browse back to the System Configuration page. You should now see the domain field populated and the join button will be greyed out.

8.   Click on Administration to take you back a page.

9.   Click on Configuration, select the Identity Sources tab and click the “+” sign to add a new identity source.

10. On this popup you will be offered four choices.
10.1  Select Active Directory (Integrated Windows Authentication Once you’ve selected that the Domain name field should automatically populate. If it didn’t then your PSC hasn’t joined the domain correctly.
10.2  Select Use Service Principle Name (SPN). STS/
10.3  Enter in the Service Principle name using the @. This account should have permission to browse your domain.
10.4  And the Password for the above account.
10.5  Click OK

11. If all goes well then you should see a new entry in you identity sources.

And that’s it you can now go and add your first domain user account to the permissions, which I’ll show you in the next post.

Leave a Reply

Your email address will not be published. Required fields are marked *