WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Automating Active Directory Identity Source & Default Domain in vSphere Web Client

Automating Active Directory Identity Source & Default Domain in vSphere Web Client

01.05.2015 by William Lam // 4 Comments

Over the holiday break I learned about two awesome tidbits from my buddies Blair Fritz and Frank Buechsel who both work over in our GSS Organization. The first tidbit came from Blair who recently shared a newly published VMware KB 2063424 that provides both a Windows and Linux script to automate the setup of your Active Directory as an Identity Source within vSphere SSO. The reason this is so cool is that you no longer have to perform this additional manual step using the vSphere Web Client just to be able to start using your Active Directory as a source for authorization within your vSphere environment. In my opinion, this step should just happen automatically if your vCenter Server (applies to both VC for Windows and VCSA) is already joined to an Active Directory Domain.

UPDATE (01/15/19) - For vSphere 6.5 and 6.7, please refer to VMware KB 67304 for the updated package required to automate this configuration

active-directory-identity-source-and-default-domain-in-vsphere-web-client-0
Looking at the contents of the script, I have extracted the main parts of the script to create a quick snippet that can easily be integrated into my existing VCSA 5.5 Configuration script if you are interested in automating this particular configuration.

AD_DOMAIN=primp-industries.com
EXPORTED_SSO_PROPERTIES=/usr/lib/vmware-upgrade/sso/exported_sso.properties

if [ -e ${EXPORTED_SSO_PROPERTIES} ] ;then
	rm -f  ${EXPORTED_SSO_PROPERTIES}
fi

cat > ${EXPORTED_SSO_PROPERTIES} << __SSO_EXPORT_CONF__
ExternalIdentitySource.${AD_DOMAIN}.name=${AD_DOMAIN}
ExternalIdentitySource.${AD_DOMAIN}.type=0
ExternalIdentitySourcesDomainNames=${AD_DOMAIN}
__SSO_EXPORT_CONF__

/usr/lib/vmware-upgrade/sso/sso_import.sh > /dev/null 2>&1
rm -rf ${EXPORTED_SSO_PROPERTIES}

The next tidbit that I learned the same day came from Frank. It was in regards to configuring the default Identity Source for vSphere SSO which includes localos, vsphere.local and if you have Active Directory configure, your AD Domain is an option as seen in the screenshot below. For a fresh installation, the "localos" Domain is always the default and I was interested in configuring my AD Domain as the default. It turns out this is also possible to automate and more details can be found in this handy VMware KB 2070433.

active-directory-identity-source-and-default-domain-in-vsphere-web-client-1
Similar to the other KB, I have created a quick snippet which can be integrated into my existing VCSA 5.5 Configuration script if you are also interested in automating this configuration.

AD_DOMAIN=primp-industries.com
SSO_ADMINISTRATOR_PASSWORD=vmware
SSO_LDIF_CONF=/tmp/defaultdomain.ldif
                
cat > ${SSO_LDIF_CONF} << __DEFAULT_SSO_DOMAIN__
dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: ${AD_DOMAIN}
__DEFAULT_SSO_DOMAIN__

ldapmodify -f ${SSO_LDIF_CONF} -h localhost -p 11711 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w ${SSO_ADMINISTRATOR_PASSWORD}

I was quite happy to learn about these two tips as these are literally the two last configurations that I have not been able to automate since the vSphere SSO Admins APIs are currently private. I will be updating my VCSA Configuration Script in the next few days to include these additional configurations and will publish an updated script once it is complete. A big thanks goes to both Blair and Frank for sharing this awesome information!

More from my site

  • Changing "Password will expire in X days" notification for Active Directory users in vSphere Web/H5 Client
  • How to Add/Remove vCenter SSO Identity Sources Using the Command-Line for Windows vCenter Server & VCSA
  • Specifying Default Domains for vSphere Web Client Login
  • Automating Cross vCenter vMotion (xVC-vMotion) between the same & different SSO Domain
  • Automating the configuration of new logon banner for the vSphere Web Client in 6.0 Update 2

Categories // Automation, vSphere 5.5, vSphere Web Client Tags // active directory, default domain, exported_sso.properties, integrated windows authentication, ldapmodify, sso, sso_import.sh, vsphere web client

Comments

  1. *protectedBenjamin says

    11/08/2016 at 12:15 am

    Hi, any clue if it is still functionnal on vcsa 6.5 ?

    Reply
  2. *protectedDion says

    05/30/2017 at 1:16 pm

    Is this any easier in 6.5? I want to add to AD, which works easily enough, but adding the identity source and making it the default I am looking at automating.

    Reply
  3. *protectedRoland says

    08/02/2018 at 9:00 am

    Hi, it doesn't work anymore on vcsa 6.7. Is it possible to add an active directory identity source (integrated windows authentication) with "sso-config.sh -register_idp "? I cannot find any documentation online, do you have information on how to create a working XML config file?

    Reply
  4. *protectedMatt says

    05/08/2020 at 10:43 am

    Follow these steps to add IWA as an identity source:
    https://kb.vmware.com/s/article/67304

    Then run the below to set it as the default identity source:
    sso-config.sh -set_default_identity_sources -i

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VCF 9.0 Hardware Considerations 05/30/2025
  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...