Enabling Active Directory Authentication with ESX Server 1



Similar documents
Configuring Sponsor Authentication

/ Preparing to Manage a VMware Environment Page 1

SECURE FTP CONFIGURATION SETUP GUIDE

Laboration 3 - Administration

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Integration with Active Directory. Jeremy Allison Samba Team

Chapter 3 Authenticating Users

identity management in Linux and UNIX environments

VMware vcenter Support Assistant 5.1.1

TIBCO Spotfire Platform IT Brief

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

IIS, FTP Server and Windows

Remote Administration

RemotelyAnywhere Getting Started Guide

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

SUSE Manager 1.2.x ADS Authentication

IGEL Linux and Microsoft Remote Desktop Connection Broker 2012 R2

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

Integrating LANGuardian with Active Directory

Single Sign-on (SSO) technologies for the Domino Web Server

Configure Backup Server for Cisco Unified Communications Manager

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Remote Desktop Administration

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Section 4 Application Description - LDAP

RELEASE NOTES. Release Notes. Introduction. Platform. Product/version/build: Remote Control ( ) ActiveX Guest 11.

Upgrading VMware Identity Manager Connector

Installation of MicroSoft Active Directory

MCSA Security + Certification Program

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

STERLING SECURE PROXY. Raj Kumar Integration Management, Inc.

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

RSA SecurID Certified Administrator (RSA Authentication Manager 8.0) Certification Examination Study Guide

DC Agent Troubleshooting

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Likewise Security Benefits

NovaBACKUP xsp Version 15.0 Upgrade Guide

Managing an Active Directory Infrastructure

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

How To - Implement Clientless Single Sign On Authentication with Active Directory

Preinstallation Requirements Guide

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Windows Security and Directory Services for UNIX using Centrify DirectControl

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

NetIQ Advanced Authentication Framework - MacOS Client

Single Sign-On for Kerberized Linux and UNIX Applications

Virtual Web Appliance Setup Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Kerberos authentication made easy on OpenVMS

Discovery Guide. Secret Server. Table of Contents

Active Directory integration with CloudByte ElastiStor

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

HP Device Manager 4.7

Implementing a SAS Metadata Server Configuration for Use with SAS Enterprise Guide

Security IIS Service Lesson 6

Basic Exchange Setup Guide

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 On Existing Hardware

Single Sign On. Configuration Checklist for Single Sign On CHAPTER


Active Directory Change Notifier Quick Start Guide

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

CTS2134 Introduction to Networking. Module Network Security

FreeIPA v3: Trust Basic trust setup

Virtual Managment Appliance Setup Guide

Security. TestOut Modules

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

FreeIPA 3.3 Trust features

Implementing and Supporting Microsoft Windows XP Professional

Host your websites. The process to host a single website is different from having multiple sites.

Basic Exchange Setup Guide

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Mod 2: User Management

Cloud Server powered by Mac OS X. Getting Started Guide. Cloud Server. powered by Mac OS X. AKJZNAzsqknsxxkjnsjx Getting Started Guide Page 1

Securing Administrator Access to Internal Windows Servers

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

How-to: Single Sign-On

Extreme Control Center, NAC, and Purview Virtual Appliance Installation Guide

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

How To Set Up Egnyte For Netapp Sync For Netapp

F5 BIG-IP V9 Local Traffic Management EE Demo Version. ITCertKeys.com

Websense Support Webinar: Questions and Answers

How To Use Directcontrol With Netapp Filers And Directcontrol Together

How To - Implement Single Sign On Authentication with Active Directory

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Managing Access Control in PresSTORE

Apache Server Implementation Guide

Configuring Security Features of Session Recording

TopEase Single Sign On Windows AD

Installing Policy Patrol on a separate machine

CYAN SECURE WEB HOWTO. NTLM Authentication

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

AJ Matrix V5. Installation Manual

VMware and VSS: Application Backup and Recovery

Transcription:

1 Enabling Active Directory Authentication with ESX Server 1 This document provides information about how to configure ESX Server to use Active Directory for authentication. ESX Server system includes an authentication service, but users might want to use other authentication providers. Information provided in this document includes: Authentication Concepts on page 1 Esxcfg auth Tool on page 2 Frequently Asked Questions on page 3 Further Reading on page 4 Authentication Concepts An identity is authenticated when someone or something proves they are who they claim to be. Anything that can be authenticated, such as users, computers, or services, is called a principal. A principal proves its identity by proving knowledge of some secret. For example, a password is a secret that a user keeps, but by proving knowledge of that secret, users prove they are who they claim to be. Authentication permits principals to use a service, and, at the same time, prevents unauthorized users from masquerading as legitimate users to steal resources. For example, unknown users can be denied access to payroll information. Similarly, unknown services can be prevented from using virtual machines to complete tasks. Authenticated users, however, can use their virtual machines and access their data. Authentication is one of several security technologies that work together to enable appropriate access to services: VMware, Inc. 1

Enabling Active Directory Authentication with ESX Server Access control grants or denies principals access. If any principal can access any service, access control is insufficient. For access control to be useful, principals must be authenticated. Authentication verifies that principals are who they claim to be. If any principal can claim an identity or provide credentials for an identity, such as root, there is insufficient authentication. For authentication to be useful, there must be trust in the form of physical security and trust of an authentication authority. Trust exists among a set of principals. For example, trust is necessary among authentication servers, principals that use services, and physical computers in a domain or realm. If any service is trusted to authenticate principals, trust is not sufficiently restricted. This technical note deals with the configuration of authentication interoperability in ESX Server. Authentication is made possible by the implementation of an authentication protocol. Protocols are abstract processes. For example, Kerberos is a protocol for establishing the identities of principals, but it is not an implementation of that process. Active Directory provides an authentication service that implements the Kerberos protocol, so principals can use Kerberos to authenticate to Active Directory. A variety of authentication providers are available for use. ESX Server includes services that can be used to meet your authentication needs but also supports the use of other authentication providers. This is especially useful in cases where a collection of users has already been established, as in organizations using Active Directory. To facilitate the use of such providers, ESX Server includes an option in the esxcfg tool to configure the use of other authentication providers. Especially in large, previously established environments with many users, creating trust with an existing authentication authority is easier than recreating all the required users in ESX Server. Furthermore, reducing the number of authentication systems reduces the number of user names and passwords each user must remember. Users are more likely to follow recommended practices for creating strong passwords when they have fewer passwords to remember, and reusing any password, even a strong one, for multiple accounts effectively weakens the security of an authentication system. Esxcfg-auth Tool The esxcfg auth tool enables authentication interoperability with authentication providers such as Windows Active Directory. Active Directory is the collection of services and data that Windows uses to authenticate principals. The esxcfg auth tool makes authentication with Active Directory possible by configuring a pluggable authentication module (PAM) and modifying the ESX Server system s configuration. Specifically, esxcfg auth: 2 VMware, Inc.

Chapter Enabling Active Directory Authentication with ESX Server Modifies the krb5.conf file. The tool adds the name of the Active Directory Domain and the DNS name or IP address of at least one domain controller, allowing the ESX Server host to find a domain controller. Creates the kdc.conf file, which contains information that specifies which cryptographic options are used during authentication processes. Modifies the pam.d file, configuring the ESX Server system to authenticate MUI and remote console users using the Active Directory domain. Commands The esxcfg auth command includes options for configuring interoperability with several authentication providers. This note focuses on the options that are relevant to Active Directory: esxcfg auth [ [ enablead disablead ] [ addomain=<domain> removedomain=<domain> ] [ addc=<dc> removedc=<dc>] ] Example Consider a case in which a Windows domain is named vmtest.com, and in this domain is a domain controller named DC1. That server s fully qualified domain name (FQDN) is DC1.vmtest.com. To establish interoperability with this Windows domain, issue the following command on an ESX Server system as root: # esxcfg-auth --enablead --addomain=vmtest.com --addc=dc1.vmtest.com This enables Active Directory based user authentication in the vmtest.com domain with the domain controller DC1.vmtest.com. After entering the preceding command, create a user on the ESX Server system with permissions to use the service console. To create a user, use the Linux command useradd. For example, to add a user named ConsoleUser, issue the following command on an ESX Server system as root: # useradd ConsoleUser After a service console user account is created, that user can log on to the console locally. For every user that you want to enable access through authentication to Active Directory, you must also create a corresponding user on the ESX Server system using the useradd command. Frequently Asked Questions Q. What if I want all the users in the domain to be able to log on to the ESX Server host? A. VMware does not recommend this practice. ESX Server users are administrators, not ordinary users. They can create virtual machines and consume resources. Therefore, VMware, Inc. 3

Enabling Active Directory Authentication with ESX Server letting all the users in the domain log on to ESX Server systems gives everyone unrestricted access to computing resources. Q. Does the ESX Server system have to be part of the domain? A. No. Q. What if my ESX Server computer cannot contact a domain controller? Will my virtual machines shut down? A. Virtual machines continue to run. ESX Server users who are not defined locally are unable to log on to administer their machines. VMware recommends that you maintain the root locally on the service console, but do not attempt to map this to the Administrator logon in the domain. By preserving root access to the local service console, authorized personnel can always log on as root, even if contact with the domain is lost. Q. Does maintaining a local root password for the service console work on all versions of the ESX Server system? A. This solution should work on all versions of the ESX Server system, but it has been tested only on ESX Server 2.1. Q. What if I want to use my Windows domain to authenticate other kinds of service console logons, such as FTP or SSH logons? A. A PAM module allows you to do so, although the setup is outside the scope of this document. See Further Reading on page 4 for where to find more information on PAM. Q. Authentication fails or works for some users, but not for others. Why is this? A. Due to a bug in the version of Kerberos shipped with ESX Server 2.1, users who are members of more than 15 global groups cannot authenticate, even with valid user names and passwords. To avoid this problem, limit user global group membership. Further Reading Kerberos is documented here: http://web.mit.edu/kerberos/www/ http://www.ietf.org/rfc/rfc1510.txt Microsoft Active Directory (AD) is documented here: http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/ default.mspx Services for UNIX (SFU) is documented here: 4 VMware, Inc.

Chapter Enabling Active Directory Authentication with ESX Server http://support.microsoft.com/default.aspx?scid=kb;en-us;321712&sd=tech Pluggable authentication module (PAM) is documented here: http://www.kernel.org/pub/linux/libs/pam/linux-pam-html/linux-pam_sag.html VMware, Inc. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information