Archive for July, 2014

vSphere 5.5 Single Sign On the easy way

July 14th, 2014 Comments off

A few days ago I posted this article. For it to work, the Firewall has to open 9 TCP and 9 UDP ports. That’s a lot of opened ports, and not to mention the troubleshooting along the way.

With VMWare Center Appliance v5.5, VMWare has added a new option for Single Sign On authentication, “Active Directory as a LDAP Server”. Things get so much easier with this option as you don’t need to join the vCSA to the domain and there is only 1 opened port, tcp:389, which is for LDAP. Surprisingly, no-one has mentioned it on the Internet.

First, download and install vCSA with the default options: No fancy options yet. Active Directory is disabled because you don’t need to join the vCSA server to the domain.

Then click on the SSO option and change the default password for the Administrator@vsphere.local account. Note that this is required to setup SSO.

Then login into the web client\Administration\Single Sign-On\Configuration with the Administrator@vsphere.local . You have to login with the Administrator account to have the option. Root account doesn’t work here.. (This alone took me 2 hours to figure out)

Then add a new Identity Source. Fill out the remaining fields as follows:

Name: Your AD domain name; E.g. “corp.local”
Base DN for users: Split your domain name in pieces along the dots (“.”) and prefix each part with a “dc=”. Place commas “,” in between each part; E.g. “dc=corp,dc=local”
Domain name: Your AD domain name; E.g. “corp.local”
Domain alias: Your netbios name of the AD domain; E.g. “CORP”
Base DN for groups: Same a the Base DN for users; E.g. “dc=corp,dc=local”
Primary Server URL: The Active Directory server as a URL with the protocol “ldap://” and the port 389.; E.g. ldap://
Secondary Sever URL: Another Active Directory server or domain controller as a URL if you have one. Otherwise leave it blank; E.g. ldap://
Username: An Active Directory username in netbios notation with privileges to read all users and groups; E.g. “CORP\Administrator”
Password: The password of the above user.

Hit the test button and that should be it. If it doesn’t work make sure you have tcp:389 open on the domain controller server

Required ports for adding the ESX/ESXi host to an Active Directory domain

July 12th, 2014 Comments off

You need to open both TCP and UDP ports for the following

Port 88 – Kerberos authentication
Port 123 – NTP
Port 135 – RPC
Port 137 – NetBIOS Name Service
Port 139 – NetBIOS Session Service (SMB)
Port 389 – LDAP
Port 445 – Microsoft-DS Active Directory, Windows shares (SMB over TCP)
Port 464 – Kerberos – change/password changes
Port 3268- Global Catalog search