Over the holiday break I learned about two awesome tidbits from my buddies Blair Fritz and Frank Buechsel who both work over in our GSS Organization. The first tidbit came from Blair who recently shared a newly published VMware KB 2063424 that provides both a Windows and Linux script to automate the setup of your Active Directory as an Identity Source within vSphere SSO. The reason this is so cool is that you no longer have to perform this additional manual step using the vSphere Web Client just to be able to start using your Active Directory as a source for authorization within your vSphere environment. In my opinion, this step should just happen automatically if your vCenter Server (applies to both VC for Windows and VCSA) is already joined to an Active Directory Domain.
UPDATE (01/15/19) - For vSphere 6.5 and 6.7, please refer to VMware KB 67304 for the updated package required to automate this configuration
Looking at the contents of the script, I have extracted the main parts of the script to create a quick snippet that can easily be integrated into my existing VCSA 5.5 Configuration script if you are interested in automating this particular configuration.
AD_DOMAIN=primp-industries.com
EXPORTED_SSO_PROPERTIES=/usr/lib/vmware-upgrade/sso/exported_sso.properties
if [ -e ${EXPORTED_SSO_PROPERTIES} ] ;then
rm -f ${EXPORTED_SSO_PROPERTIES}
fi
cat > ${EXPORTED_SSO_PROPERTIES} << __SSO_EXPORT_CONF__
ExternalIdentitySource.${AD_DOMAIN}.name=${AD_DOMAIN}
ExternalIdentitySource.${AD_DOMAIN}.type=0
ExternalIdentitySourcesDomainNames=${AD_DOMAIN}
__SSO_EXPORT_CONF__
/usr/lib/vmware-upgrade/sso/sso_import.sh > /dev/null 2>&1
rm -rf ${EXPORTED_SSO_PROPERTIES}
The next tidbit that I learned the same day came from Frank. It was in regards to configuring the default Identity Source for vSphere SSO which includes localos, vsphere.local and if you have Active Directory configure, your AD Domain is an option as seen in the screenshot below. For a fresh installation, the "localos" Domain is always the default and I was interested in configuring my AD Domain as the default. It turns out this is also possible to automate and more details can be found in this handy VMware KB 2070433.
Similar to the other KB, I have created a quick snippet which can be integrated into my existing VCSA 5.5 Configuration script if you are also interested in automating this configuration.
AD_DOMAIN=primp-industries.com
SSO_ADMINISTRATOR_PASSWORD=vmware
SSO_LDIF_CONF=/tmp/defaultdomain.ldif
cat > ${SSO_LDIF_CONF} << __DEFAULT_SSO_DOMAIN__
dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: ${AD_DOMAIN}
__DEFAULT_SSO_DOMAIN__
ldapmodify -f ${SSO_LDIF_CONF} -h localhost -p 11711 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w ${SSO_ADMINISTRATOR_PASSWORD}
I was quite happy to learn about these two tips as these are literally the two last configurations that I have not been able to automate since the vSphere SSO Admins APIs are currently private. I will be updating my VCSA Configuration Script in the next few days to include these additional configurations and will publish an updated script once it is complete. A big thanks goes to both Blair and Frank for sharing this awesome information!
Hi, any clue if it is still functionnal on vcsa 6.5 ?
Is this any easier in 6.5? I want to add to AD, which works easily enough, but adding the identity source and making it the default I am looking at automating.
Hi, it doesn't work anymore on vcsa 6.7. Is it possible to add an active directory identity source (integrated windows authentication) with "sso-config.sh -register_idp "? I cannot find any documentation online, do you have information on how to create a working XML config file?
Follow these steps to add IWA as an identity source:
https://kb.vmware.com/s/article/67304
Then run the below to set it as the default identity source:
sso-config.sh -set_default_identity_sources -i