WilliamLam.com

vCenter Server Identity Federation with Authentik Identity Provider

by // 2 Comments

While answering a recent question on the VMware Reddit Community, I came to learn about Authentik, an open source identity provider (IdP), which is pretty feature rich and best of all, you can self-host the Authentik IdP solution.

While Authentik is not one of the officially supported Identity Providers for vCenter Server Identity Federation such as Okta, Microsoft Entra ID, Microsoft ADFS or PingFederate, I was curious if it would to allow me to easily play with the Identity Federation feature in vCenter Server? 🤔

Hint: It works! 😁

Disclaimer: Authentik is currently not an officially supported vCenter Server IdP as mentioned earlier, please use at your own risk.

[Read more...]

Quick Tip - Block or remove download URL for VMware Enhanced Authentication Plug-in (EAP)

by // 19 Comments

There was a new VMware Security Advisory (VMSA-2024-0003) that was published this week that affects the deprecated VMware Enhanced Authentication Plug-in (EAP) and as part of the remediation, per VMware KB 96442, there are instructions on how to uninstall the EAP plugin from desktop systems that had it installed.

I also noticed there were also questions from the community about disabling the EAP download itself, which is available as a hyperlink from the vSphere UI login page as shown in the screenshot below.


Having spent some time exploring and customizing the vSphere UI login page back in 2015, I knew there were a few ways of either blocking and/or removing the download URL all together, so I figure I would put together the list of options depending on what users were comfortable with.

[Read more...]

Automating certificate-manager CLI operations in vCenter Server (VCSA)

by // 3 Comments

I recently had a customer inquiry where they were interested in automating the certificate replacement for vCenter Solution Users when using the /usr/lib/vmware-vmca/bin/certificate-manager CLI, which is found within the vCenter Server Appliance (VCSA).


Note: One important thing to understand is that with vSphere 7.0, the vCenter Solution User certificates have been deprecated and the ability to replace the internal certificates will be removed in a future release as mentioned in the referenced vSphere blog post.

VMware does not recommend replacing the internal vCenter Solution User certificates, but for users who may have an organization requirement to do so, the operation is performed interactively using the certificate-manager CLI as mentioned earlier.

By design, the certificate-manager is meant to be consumed interactively and any non-interactive or automated use cases is not possible ...

[Read more...]