Active Directory authentication for ESXi host management

This was not as straightforward as I’d hoped.

Apparently (see video – ugh, why not bullet points?), you just add the host to AD, create an Active Directory security group called ESX Admins, stick the users in the group and voila, you can SSH etc. to the server as those AD users.

No. (not for me anyway)

What I had to do was:

  1. Create a new global security group in Active Directory called ESX Admins. The host tries to add this automatically (if it exists) when it joins your AD. I’ve even seen a host re-add the group after I manually deleted it from the host. So it might be better not to fight this and just call the group ESX Admins.
  2. Add the users you want to have administrator rights on the host to the new ESX Admins group.
  3. Add the host to your Active Directory, making sure you put it in the OU that you want it to ultimately live in when you add it – the authentication seems to break if you subsequently move it. From the vSphere Client select the host, go to the Configuration tab, under Software pick Authentication Services, then click Properties… in the top right. Select Active Directory instead of Local Authentication. Enter the fully qualified domain name of your active directory, then the OU(s) that you want it to be placed in seperated by forward slashes, e.g. rcmtech.co.uk/Servers/vSphere Hosts (spaces are fine). Enter a suitable username & password (e.g. a Domain Admin) when prompted. You should get an item appear in Recent Tasks of Join Windows Domain which should very quickly say Completed. Click OK to close the Directory Services Configuration dialogue.
  4. Connect to the host directly with the vSphere client. Use the format of <domain>\<username> (though user@fully.qualified.domain should work too) and obviously using a user that’s a member of your ESX Admins group. If it works, well done, stop reading here! If it fails to authenticate, as in my case, read on.
  5. Change the username to root and logon to the host with the vSphere client (successfully this time – if this step fails you’re stuffed!).
  6. Go to the Permissions tab. In theory the host should have automatically added your ESX Admins group, you should see it showing in the form of:
    RCMTECH\esx^admins
    This automatic add didn’t work for me. When I tried to search for the group when trying to add it manually the search didn’t find it: “No users or groups were found as a result of the search”. I was seeing some groups listed, but by no means all of my AD groups. The groups not showing seemed to be in certain OUs, I had an OU called Admin Groups in the root of the directory and the host could not find the ESX Admins group there. I moved the group to a different OU (Staff\Groups) and it did find it. Wierd. So I added the ESX Admins group, giving it the role of Administrator: Right-click anywhere over the white space in the Permissions tab and choose Add Permission…. Change the Assigned Role to Administrator and click the Add… button. Change the Domain box to show your Active Directory, find your ESX Admins group, click Add, click OK. Note that if yuo have to move the OU that the group is in to enable it to be found then you might need to wait for AD to synchronise (or force a sync) before searching again.
  7. Note that once you are able to find the ESX Admins group from the host, adding any more hosts should work correctly – the group will be added to the host within a minute or so of the host joining the domain.

I can now SSH to my hosts, use the web-based datastore browser, and point the vSPhere client directly at hosts all using my AD credentials. No more setting up local accounts or using the generic root account.

This entry was posted in vSphere and tagged , , , , , , , , , , . Bookmark the permalink.

2 Responses to Active Directory authentication for ESXi host management

  1. MikeV says:

    Robin,
    Good post.
    In ESXi 5 you can change the name of the default group (ESX Admins). This gives you ability to pick a group name that complies with your company’s naming conventions. Also, specifying custom group name allows multiple admin areas to manage their own set of ESXi hosts.

  2. AntonioE says:

    For some reason I had to reboot my ESX server before I could choose objects from my domain. Glad it was a tertiary backup and wasn’t hosting any VM’s yet! Thanks Robin!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s