VMC on AWS vCenter Authentication using AWS Directory Service

by

In this blog post, I’ll describe how to to use AWS Directory service as an identity source for VMC on AWS vCenter.

Background VMC on AWS default setup

VMC on AWS by default has a single cloudadmin account named cloudadmin@vmc.local.

You cannot add users to the vmc.local domain by default.

To add users you need to add an external identity source such as an AD.

If you don’t have the legacy infrastructure, you can spin up an AWS a managed domain controller service.

Afterward, integrate it with VMC for authentication purposes, this blog post will describe how.

Provisioning AWS directory service

you’ll deploy the AWS directory service in the same region as your VMC connected VPC.

To leverage the automatic routing between the environments through the ENI interface.

You can confirm in the console under the connected VPC section in networking & security tab what region and VPC it is.

VMC on AWS Networking and Security ConnectedVPC Subnet screenshot
Michael Schwartzman describes how to see VMC on AWS networking & Security Tab and it’s connected VPC subnet

AWS

On the AWS side choose the correct same region and choose directory service, in this case Frankfurt.

AWS Console Region Selection screenshot

Choose AWS Managed Microsoft AD or Simple AD

show Select AWS Directory Service Type screenshot

In the drop down choose standard or enterprise edition based on sizing and high availability requirements.

In this walkthrough i used standard

Select AWS Directory Edition and Details screenshot

Note that two subnets are required for redundancy purposes on AWS.

Only one(primary) would be available with the connected VPC design from VMC.

To leverage both subnets you’ll need to use transit connect(vTGW) or a VPN towards a TGW in the AWS account. (beyond the scope of this blog post).

 

Select AWS Consoel VPC and Subnets screenshot

confirm and create directory

Review Directory Service and Create screenshot

This creation process took around 30 minutes in my case so be patient 😉 .

Once provisioning is done you’ll see the new directory service in status active

AWS Console Directory Provisioning screenshot

Once provisioned you’ll be able to see the assigned IP addresses from the previously selected subnets.

AWS Console Directory Service Networking and Security screenshot

In order to configure and manage the AD service we’ll need to run a bastion VM, in my example, it’s a windows server that run’s on the VMC on AWS environment, but it could run as an EC2 VM as well.

Add the server to the domain, first update the DNS

VMC on AWS Configurations

TCP IP DNS Settings Bastion VM screenshot

then add to the domain, please note that the highest level user granted is admin and the password is as configured during the provisioning process.

Bastion Host Domain Joining screenshot

after reboot and login with the domain credentials with the domain users and groups tool you can manage your domain accounts

Domain Controller Management screenshot

now in vsphere go to menu –> administrator –> single sign on –> configuration –> identity source

 

VMC on AWS vCenter Domain Management screenshot

create a new identity source

 

VMC on AWS vCenter Identety Source screenshot

add permissions to the user
under global permission add the domain user or group with the appropriate role, in this example cloudadmin the highest role, and add propagate to children checkbox.

VMC on AWS vCenter Permissions addition screenshot

 

login into vsphere with the newly connected domain

 

VMC on AWS vCenter login screenshot

There you go

 

External AWS Documentation:

https://docs.aws.amazon.com

vcenter documentation

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-75D4E587-3F9B-4B50-96DA-D6DB6D1781D7.html

Feel free to reachout on linkedin if you have any followup questions or feedback.

https://www.linkedin.com/in/michael–schwartzman/

Back to the main page

https://schwartzman.org/

Leave a Comment