Why do i need to change?
Starting with vSphere (and vCenter) 7.0, VMware has deprecated the use of Integrated Windows Authentication (IWA). That doesn't mean you can't use it or migrate an existing 6.7 vCenter with IWA to vCenter 7. It means that VMware considers IWA end of life and will be removing it in a future release, so the time to move off IWA is now!
The steps below show how to do switch from the IWA identity source to AD over LDAPs. Bear in mind you will need to remove the old identity source, before being able to add the new one, so you need to do this when no one else will be logging into vCenter. It doesn't take long though, so as long as you can find a quiet time, you're ready to go.
I didn't grab screenshots for this one, as this was a change we did at work, but the process is documented step by step below, so you should have no trouble following the process.
First Grab the Domain Controller Certificates
Log into the new vCenter over SSH (using Putty or your usual SSH tool)
Login as root and enter password
Once logged in, type 'shell' to access the BASH shell
Run openssl s_client -connect ad-dc1.lab.com:636 -showcerts (where ad-dc1.lab.com is the Domain Controller you wish to extract the certificate from)
In the output, select and copy everything between (and including) ------ BEGIN CERTIFICATE------- and -------END CERTIFICATE --------- into a notepad file
Save the notepad file as ad-dc1.lab.com.cer
Repeat for ad-dc2.lab.com (ie add a 2nd Domain Controller) for resilience
Take a snapshot of vCenter
Shutdown vCenter
In a Linked Mode Domain, shut down ALL vCenters and snapshot all of them at the same time, to ensure a consistent state in the event rollback is required.
Take a snapshot
Power on vCenter
It is good practise to have other methods of restoration, such as the built in backup feature in the event rollback is required
Removing the old identity source
Menu (3 bars) → Administration → Single Sign On → Configuration → Identity Provider → Identity Sources
Select the IWA Identity Source
Click Remove
Add the AD over LDAPs Identity Source
Menu (3 bars) → Administration → Single Sign On → Configuration → Identity Provider → Identity Sources → Add
Change Identity Source Type to Active Directory over LDAP
Name = Enter a friendly identifier for the domain (can be anything - eg LDAPS connection to lab.com)
Base DN for users: dc=lab,dc=com
Base DN for groups: dc=lab,dc=com
Domain name: lab.com
Domain Alias: Enter the NetBIOS name for your domain
Username: ldap-serviceaccount@lab.com (Service account setup specifically for vCenter LDAP access. Needs at least read access to the Base DN locations
Password: password for the above account
Connect to: Specific domain Controllers
Primary server URL: ldaps://ad-dc1.lab.com:636
Secondary server URL: ldaps://ad-dc2.lab.com:636
Click Browse → Add both certs you captured earlier → Click Add
The AD LDAPS identity source should now be added
Select the new identity source and click "Set as Default" → Read the warning → Ok
That's it, now test you can login using your AD accounts as before.
Remove snapshot
Once you have tested and happy that everything is working, don't forget to remove your vCenter snapshot(s).
Enhanced Linked Mode
When running Enhanced Linked Mode all Domain Controllers in the SSO domain will pick up the Identity Source Change.
Comments