Over the holiday break I learned about two awesome tidbits from my buddies Blair Fritz and Frank Buechsel who both work over in our GSS Organization. The first tidbit came from Blair who recently shared a newly published VMware KB 2063424 that provides both a Windows and Linux script to automate the setup of your Active Directory as an Identity Source within vSphere SSO. The reason this is so cool is that you no longer have to perform this additional manual step using the vSphere Web Client just to be able to start using your Active Directory as a source for authorization within your vSphere environment. In my opinion, this step should just happen automatically if your vCenter Server (applies to both VC for Windows and VCSA) is already joined to an Active Directory Domain.
UPDATE (01/15/19) - For vSphere 6.5 and 6.7, please refer to VMware KB 67304 for the updated package required to automate this configuration
Looking at the contents of the script, I have extracted the main parts of the script to create a quick snippet that can easily be integrated into my existing VCSA 5.5 Configuration script if you are interested in automating this particular configuration.
AD_DOMAIN=primp-industries.com EXPORTED_SSO_PROPERTIES=/usr/lib/vmware-upgrade/sso/exported_sso.properties if [ -e ${EXPORTED_SSO_PROPERTIES} ] ;then rm -f ${EXPORTED_SSO_PROPERTIES} fi cat > ${EXPORTED_SSO_PROPERTIES} << __SSO_EXPORT_CONF__ ExternalIdentitySource.${AD_DOMAIN}.name=${AD_DOMAIN} ExternalIdentitySource.${AD_DOMAIN}.type=0 ExternalIdentitySourcesDomainNames=${AD_DOMAIN} __SSO_EXPORT_CONF__ /usr/lib/vmware-upgrade/sso/sso_import.sh > /dev/null 2>&1 rm -rf ${EXPORTED_SSO_PROPERTIES}
The next tidbit that I learned the same day came from Frank. It was in regards to configuring the default Identity Source for vSphere SSO which includes localos, vsphere.local and if you have Active Directory configure, your AD Domain is an option as seen in the screenshot below. For a fresh installation, the "localos" Domain is always the default and I was interested in configuring my AD Domain as the default. It turns out this is also possible to automate and more details can be found in this handy VMware KB 2070433.
Similar to the other KB, I have created a quick snippet which can be integrated into my existing VCSA 5.5 Configuration script if you are also interested in automating this configuration.
AD_DOMAIN=primp-industries.com SSO_ADMINISTRATOR_PASSWORD=vmware SSO_LDIF_CONF=/tmp/defaultdomain.ldif cat > ${SSO_LDIF_CONF} << __DEFAULT_SSO_DOMAIN__ dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local changetype: modify replace: vmwSTSDefaultIdentityProvider vmwSTSDefaultIdentityProvider: ${AD_DOMAIN} __DEFAULT_SSO_DOMAIN__ ldapmodify -f ${SSO_LDIF_CONF} -h localhost -p 11711 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w ${SSO_ADMINISTRATOR_PASSWORD}
I was quite happy to learn about these two tips as these are literally the two last configurations that I have not been able to automate since the vSphere SSO Admins APIs are currently private. I will be updating my VCSA Configuration Script in the next few days to include these additional configurations and will publish an updated script once it is complete. A big thanks goes to both Blair and Frank for sharing this awesome information!