WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / vMA 4.1 - Authentication Policy (fpauth vs adauth)

vMA 4.1 - Authentication Policy (fpauth vs adauth)

07.21.2010 by William Lam // 5 Comments

I recently wrote an article about vMA 4.1 and Active Directory Integration and today I noticed there were some confusion on the expected behavior of the two types of authentication policy: vi-fastpass authentication versus Active Directory authentication. There are actually a few things to consider:

  • What user context are you trying to execute a command against a target?
  • What authentication policy was used to add the target to vMA?
  • Is vMA host joined to an Active Directory Domain?
USER CONTEXT FPAUTH or ADAUTH vMA in AD DOMAIN
vi-admin fpauth no
DOMAIN\username adauth yes

I will try to explain the following two scenarios listed above.

In this example, vMA was not joined to an Active Directory Domain and we are adding a vCenter target to vMA using a local administrator account on vCenter server (by default, fpauth is assumed):

[[email protected] ~]$ sudo vifp addserver manaslu.primp-industries.com
Enter username for manaslu.primp-industries.com: administrator
*protected email*'s password:
This will store username and password in credential store which is a security risk. Do you want to continue?(yes/no): yes

We can verify the target was added using fpauth by running the following command:

[[email protected] ~]$ vifp listservers -l

esx4-1.primp-industries.com ESX fpauth
esxi4-3.primp-industries.com ESXi fpauth
manaslu.primp-industries.com vCenter fpauth

Next, we will set the fastpass target to the newly added vCenter server:

[[email protected] ~]$ vifptarget -s manaslu.primp-industries.com

[[email protected] ~][manaslu.primp-industries.com]$

If we run "esxcfg-nics -l" against an ESX(i) host that is being managed by this vCenter, we would do the following (note: user context is vi-admin):

[[email protected] ~][manaslu.primp-industries.com]$ esxcfg-nics -l --vihost esxi4-3.primp-industries.com

Name PCI Driver Link Speed Duplex MAC Address MTU Description
vmnic0 02:00.0 e1000 Up 1000Mbps Full 00:50:56:ac:69:95 1500 Intel Corporation PRO/1000 MT Single Port Adapter

In this first example, we are relying solely on vi-fastpass authentication, where a vi-adminXX account is created on the target. The credentials to this account is generated by vMA and stored in the local credential store.

In this example, vMA has been joined to an Active Directory Domain and we are adding a vCenter target using Active Directory credentials:

[[email protected] ~]$ sudo vifp addserver reflex.primp-industries.com --authpolicy adauth
Enter username for reflex.primp-industries.com: PRIMP-IND\primp

Note: As of writing this, there is a typo in vMA 4.1 documentation on the syntax to use when specifying the username when prompted. You will need to use DOMAIN\username, if you decide to use the --username, then you need to add a second "slash" to escape the first (e.g. DOMAIN\\username)

We can verify the target was added using adauth by running the following command:

[[email protected] ~]$ vifp listservers -l

esx4-1.primp-industries.com ESX fpauth
esxi4-3.primp-industries.com ESXi fpauth
manaslu.primp-industries.com vCenter fpauth
reflex.primp-industries.com vCenter adauth

Next, we will set the fastpass target to the newly added vCenter server but before we do so, we need to login to vMA using a valid Active Directory account.

[[email protected] ~]$ vifptarget -s reflex.primp-industries.com

[[email protected] ~][reflex.primp-industries.com]$

Now if we run "esxcfg-nics -l" against an ESX(i) host that is being managed by this vCenter, we would do the following (note: user context is DOMAIN account):

[[email protected] ~][reflex.primp-industries.com]$ esxcfg-nics -l --vihost himalaya.primp-industries.com

Name PCI Driver Link Speed Duplex MAC Address MTU Description
vmnic0 06:00.0 e1000e Up 1000Mbps Full 00:30:48:d9:58:6a 1500 Intel Corporation 82574L Gigabit Network Connection
vmnic1 07:00.0 e1000e Down 0Mbps Half 00:30:48:d9:58:6b 1500 Intel Corporation 82574L Gigabit Network Connection

In this second example, we are relying solely on Active Directory authentication, where credentials of the user that is logged into vMA are being used. Unlike in the first example, if you were in the vi-admin context and tried to execute the same command, you will notice you are prompted for credentials. This is the intended and expected behavior of the two scenarios.

However, if you do not want to join vMA to an Active Directory Domain but would still like to perform an unattended authentication from vi-admin context, then you need to setup a Kerberos ticket for the target. The details on configuring this is outlined in vMA 4.1 user guide, please refer to the document for more details.

One thing to note which I actually ran into, is that when you join your vMA host to Active Directory Domain, you must reboot vMA after joining to the domain. If you do not, you will run into issues when trying to add a target using adauth authentication policy.

More from my site

  • How to configure and use vMA's vi-fastpass with fpauth and adauth on vSphere 4.1
  • How to automate & cron vi-fastpass scripts on vMA 4.1
  • How to backup/restore vMA's config + vi-fastpass DB
  • resxtop bug in vCLI 4.1 not vMA 4.1
  • Why you should upgrade from vMA 4.0 to vMA 4.1

Categories // Uncategorized Tags // vi-fastpass, vifp, vma, vSphere 4.1

Comments

  1. Doctair says

    07/23/2010 at 2:12 pm

    "you must reboot vMA after joining to the domain"

    So this is no different then adding any Windows based server to AD Domain.
    Maybe with this new AD integration Vmware wanted to keep a familiar end user experience 😉

    Reply
  2. RamD says

    08/26/2010 at 10:18 pm

    Wlliam -
    "However, if you do not want to join vMA to an Active Directory Domain but would still like to perform an unattended authentication from vi-admin context, then you need to setup a Kerberos ticket for the target."

    I have followed steps as given in the user guide. how do i test if all is fine?

    Reply
  3. RamD says

    09/07/2010 at 6:21 am

    Any reason why this fails?

    [[email protected] ~]# vifp listservers -l
    ovpesx10.ind.hp.com ESX fpauth
    csl7.proto.hp.com ESXi fpauth
    csl16.proto.hp.com ESXi adauth
    [[email protected] ~]# /opt/vmware/vma/samples/perl/listTargets.pl
    Target Name Product Version
    ----------- ------- -------
    ovpesx10.ind.hp.com VMware ESX 4.0.0
    csl7.proto.hp.com VMware ESXi 4.0.0
    csl16.proto.hp.com
    [[email protected] ~]#

    See the last line above - why does authentication fail to work? how to make this work?

    Reply
  4. Anonymous says

    12/10/2012 at 2:51 pm

    Hello William
    I installed vMA 5.1 and joined it to AD. You are writing that you have to login with a valid AD account on the vMA. My vMA unfortunately doesn't still know my AD user. Do I really only have to make a "sudo domainjoin-cli join..." and after that I already should be able to login with an AD account on vMA using ssh?

    /var/log/messages shows following errors after ssh.

    Dec 10 15:48:10 vma sshd[17378]: Invalid user lasm4 from 192.168.100.1
    Dec 10 15:48:10 vma sshd[17378]: Failed none for invalid user lasm4 from 192.168.100.1 port 36759 ssh2
    Dec 10 15:48:13 vma sshd[17380]: pam_unix2(sshd:auth): Unknown option: `try_first_pass'
    Dec 10 15:48:13 vma sshd[17378]: error: PAM: User not known to the underlying authentication module for illegal user manuel from adminserver.domain.com
    Dec 10 15:48:13 vma sshd[17378]: Failed keyboard-interactive/pam for invalid user lasm4 from 192.168.100.1 port 36759 ssh2

    I don't get the point.

    Regards Manuel

    Reply
    • William says

      12/10/2012 at 3:57 pm

      You need to join your vMA to AD before you can login with an AD account. Please refer to the vMA documentation for more details - http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vma.doc%2Fvima_get_start.4.8.html

      Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023
  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • NFS Multi-Connections in vSphere 8.0 Update 1 03/20/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023