The ability to display a logon banner prior to logging into the vSphere Web Client UI is a new capability that was introduced with the release of vSphere 6.0 Update 2. In addition to the logon banner message, customers can also configure a mandatory consent check box requiring all users to accept prior to logging in. Below is a screenshot of the new logon banner in the vSphere Web Client, prior to login.
The configuration of the logon banner is only available in the Platform Services Controller (PSC) Administrator UI which can be accessed by opening a browser to the following URL: https://[PSC-HOSTNAME]/psc
Although there is currently not an API for administrating the various PSC configurations (being worked on for a future release of vSphere), it is still possible to automate the different aspects of the PSC. There are several options depending on your personal reference as well as environmental configurations.
Option 1: Use the /opt/vmware/bin/sso-config.sh utility on the PSC itself which is the simplest method but it does require either SSH or local shell access.
You first need to create a file that contains the message you wish to display in the logon banner. In this example I have created a filed called banner.txt that contains an example logon message. You can then run the following command which will allow you to set the banner as well as the title and whether to enable the consent check box:
/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt -title 'Logon Disclaimer' -enable_checkbox N
If you wish to only configure the consent check box, you can just run the following command:
/opt/vmware/bin/sso-config.sh -set_logon_banner -enable_checkbox Y
If you wish to only configure the title, you can just run the following command:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title 'vGhetto Disclaimer'
If you wish to only configure the banner message, you can just run the following command:
/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt
If you wish to disable the logon banner feature, you can run the following command:
/opt/vmware/bin/sso-config.sh -disable_logon_banner
Option 2: Use the ldapmodify utility either locally on the PSC itself or from a remote system which I have previously written about here.
Disclaimer: Please take extreme caution when connecting to the vmdird database. You should take extreme care in making changes while in the database else you can negatively impact your environment.
In this example, I will be remotely connecting to the PSC from my desktop which is a Mac OS X system, but it can be any system which contains the ldapsearch and ldapmodify commands.
To query for the logon banner configurations, run the following ldapsearch command (specifying your environment details):
/usr/bin/ldapsearch -h 192.168.1.140 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"
From the output, we can see there are three properties which control the logon banner feature:
- vmwSTSLogonBannerEnableCheckbox
- vmwSTSLogonBannerTitle
- vmwSTSLogonBanner
To configure the new logon banner, we first need to create a file that contains our configuration changes. To do so, create a file called change.ldif which contains the following (replace with your settings):
dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local changetype: modify replace: vmwSTSLogonBannerEnableCheckbox vmwSTSLogonBannerEnableCheckbox: TRUE - replace: vmwSTSLogonBanner vmwSTSLogonBanner: You void all warranty/safety by logging into vGhetto Datacenter, you have been warned :-) - replace: vmwSTSLogonBannerTitle vmwSTSLogonBannerTitle: vGhetto Disclaimer
To apply the configuration, run the following ldapmodify command (specifying your environment details):
/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'
To completely disable the logon banner feature, create a new file called change2.ldif which contains the following (replace with your settings):
dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local changetype: modify delete: vmwSTSLogonBannerEnableCheckbox - delete: vmwSTSLogonBanner - delete: vmwSTSLogonBannerTitle
To apply the configuration, run the following ldapmodify command (specifying your environment details):
/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'
If you are interested in automating other aspects of the PSC admin configurations, be sure to check out these two articles here and here.
Thanks Willaim! Been hunting for this for hours!