VIDEO
HIGHLIGHT
Log InSign up
TAM Lab 066 - vSphere 7 with ADFS Authentication
SummaryTranscriptChat

TAM Lab 066 - vSphere 7 with ADFS Authentication

Introduction to vSphere 7 with ADFS Authentication

Overview of the Speaker and Context

  • Bill Hill introduces himself as a VMware expert from Portland, sharing his experience in IT and customer support.
  • He highlights a significant change in vSphere 7 regarding the deprecation of integrated Windows authentication, which allows joining the center to the domain.

Key Changes in vSphere 7

  • The removal of integrated Windows authentication is noted as an under-the-radar announcement that affects many customers using Active Directory.
  • While Active Directory will still be supported for authentication, users are encouraged to transition to ADFS over LDAP or identity federation.

Understanding ADFS Integration

Benefits of Using ADFS

  • Bill discusses how utilizing ADFS can enhance integration capabilities, especially for customers using Office 365.
  • He sets up a simple lab environment consisting of a V Center, an ADFS server, and a domain controller to demonstrate these changes.

Lab Setup Details

  • The lab architecture includes essential components like enterprise CA and DNS services running on the domain controller.
  • Bill prepares to log into vSphere while managing information exchange between his desktop and the ADFS server.

Configuring Identity Sources in vSphere

Navigating Administration Settings

  • In vSphere's administration menu, he accesses single sign-on configuration settings where identity sources are typically set up.
  • New options for changing identity providers are introduced alongside familiar configurations like IWA and LDAP.

Importance of Certificates

  • Bill emphasizes the necessity of certificates within this setup; he mentions not using public CAs but rather an internal CA for security purposes.

Managing Certificates in Java Key Store

Updating Trust Stores

  • He explains how to upload certificates to trusted root servers within the environment for secure communication via HTTPS.

Utilizing Key Tool Commands

  • Bill demonstrates importing certificates into the Java key store using command-line tools, ensuring proper configuration for trust management services.

Final Steps in Configuration

Validating Certificate Installation

  • After restarting necessary services, he shows how to validate that certificates have been correctly installed by listing them through key tool commands.

Understanding AD FS Integration

Overview of AD FS and User Experience

  • The speaker discusses the integration of Active Directory Federation Services (AD FS) with specific user accounts, highlighting a virtual bill from Portland as an example.
  • Users should be aware that changes to the UI may disrupt other logged-in users, potentially causing them to receive error messages during the process.

Addressing Customer Concerns

  • A question arises regarding the deprecation of TSX IIW A and how customers can log in using AD accounts in the future.
  • The speaker suggests leveraging AD FS for this purpose, while also mentioning LDAP as an alternative method for authentication.

Setting Up AD FS

  • The speaker transitions to setting up AD FS, emphasizing the importance of having Windows Server 2016 or later for compatibility.
  • They begin launching the AD FS console and preparing to create a new application group, noting improvements made since earlier versions like 2012 R2.

Creating Application Groups

  • The setup involves creating a new application group within AD FS, which combines previously separate policies for easier management.
  • The speaker selects a template for server applications accessing a web API and explains the significance of client identifiers in this context.

Configuration Details

  • URLs necessary for configuration are copied from vCenter; these are essential for establishing communication between systems.
  • Credentials can be set up using either an Active Directory account or by generating shared certificates as per documentation guidelines.

Access Control Options

  • Discussion on access control flexibility within AD FS reveals options such as permitting everyone or implementing multi-factor authentication for specific groups.
  • While VMware does not support certain configurations, there is potential to leverage advanced features based on customer needs.

Authentication and Configuration in vCenter

Overview of Authentication Setup

  • The process begins with setting up authentication for Active Directory (AD) using OpenID as a standard for communication and claims passing.
  • The speaker acknowledges that while the setup may not seem exciting, it is significant when it functions correctly.

Claims Configuration

  • A summary of the server setup is provided, including obtaining the client ID and configuring the Web API to map data from Active Directory to OpenID fields.
  • The configuration involves creating claims by pulling LDAP attributes from Active Directory, specifically focusing on group claims.

Mapping User Attributes

  • The group claim is mapped from AD using qualified domain names, emphasizing the importance of proper attribute selection.
  • User Principal Name (UPN), one of two primary username formats in AD, is also mapped to a named ID for consistency across claims.

Finalizing Claims and Configuration

  • Three key claims are established: group, subject, and UPN. This step is noted as relatively straightforward for teams familiar with AD FS management.
  • The next step involves retrieving the OpenID configuration URL necessary for vCenter to access information about AD FS via PowerShell commands.

Addressing Questions and Concerns

  • A question arises regarding keystore passwords during certificate imports; it's confirmed that defaults should be used unless changed.
  • Another inquiry pertains to how configurations change with CAC and PIV cards; viewers are encouraged to observe UI changes during this process.

Identity Provider Selection

  • The speaker demonstrates toggling between different identity providers within vCenter's interface, selecting AD FS for this activity.
  • Information such as client ID and shared secret are inputted into vCenter’s configuration settings alongside the OpenID address.

LDAP Connection Insights

  • Despite utilizing AD FS for user authentication, an LDAP connection remains essential for directory lookups within Active Directory.

Open ID and AD FS Configuration Overview

Introduction to Open ID and LDAP Attributes

  • Discussion on the integration of Open ID address with various domain or LDAP attributes for configuration.
  • Mention that the option for CAC cards is no longer available in V Center, suggesting a shift towards using Microsoft AD FS.

User Authentication Process

  • Users will input their username, and AD FS will handle the verification process.
  • Demonstration of logging into V Center using a local account instead of redirecting to AD FS.

Setting Up Permissions

  • Acknowledgment that permissions for users to log in have not yet been configured.
  • Steps taken to add a user (Rainey Johnson) as an administrator through the AD FS interface.

User Experience with AD FS

Logging In with New Configurations

  • Description of the login experience after adding an administrator, highlighting redirection to the identity provider.
  • Confirmation that users are authenticated against AD FS, showcasing branding consistency within the UI.

Admin Rights Verification

  • Successful login of Rainey Johnson as an admin, confirming full rights as intended due to group membership.

Switching Between Identity Providers

Changing Identity Provider Settings

  • Explanation of toggling between AD FS and traditional embedded services in single sign-on configuration.
  • Warning about potential removal of users and groups when switching identity providers; emphasis on understanding consequences before proceeding.

Reverting Changes

  • Instructions provided for re-establishing connection with Active Directory after reverting from AD FS back to traditional settings.

Challenges with Multiple Domains

Managing Multiple Domains with AD FS

  • Inquiry regarding support for multiple domains under current configurations; concerns about manual addition of all domains if using LDAP over Active Directory.

Architectural Considerations

  • Discussion on potential architectural solutions involving claims providers and multiple data sources within AD FS.
  • Acknowledgment that setting up trusts between different domains may be complex but possible.

Understanding Resource Domains and Authentication Strategies

Establishing Resource Domains

  • The discussion begins with the potential for establishing a resource domain, which can serve as a single point of contact for managing resources effectively.
  • Many customers utilize Office 365; if they have an Active Directory strategy in place, they can leverage existing infrastructure to authenticate users efficiently.

Troubleshooting DFS Issues

  • The speaker emphasizes the importance of troubleshooting when working with Distributed File Systems (DFS), noting that it may not be their primary area of expertise.
  • Event Viewer logs are highlighted as crucial tools for diagnosing issues within DFS, particularly focusing on event IDs 364 and 1020 to identify problems with relying parties.

Analyzing Log Files

  • The speaker discusses using log files from VCS to track authentication processes, suggesting that examining these logs can reveal where failures occur.
  • Tailing the messages log file is recommended to observe real-time authentication attempts and identify SSL certificate issues.

LDAP Configuration Insights

  • Logs from the SSO folder are noted as valuable for monitoring LDAP configurations and troubleshooting related activities.
  • A question arises regarding the use of LDAP authentication with AD users, indicating uncertainty about its implementation at the CLI level.

Validating AD FS Functionality

  • The conversation touches on deprecated IWA authentication methods for hosts, leading to discussions about current limitations in user authentication options.
  • A URL is provided for validating AD FS functionality; this tool helps ensure basic setup steps are correctly implemented before proceeding further.
  • Users must enable specific features via PowerShell commands to avoid errors during sign-on attempts; successful credential validation indicates proper configuration.

vSphere 7 Features and Customer Adoption

Overview of vSphere 7 Functionality

  • The discussion highlights that vSphere 7 introduces new features, but many customers may remain on versions 6 or 7 for an extended period due to existing support options.
  • Active Directory Federation Services (AD FS) is currently the supported identity provider, indicating a focus on security enhancements in future updates.

Customer Experience and Setup

  • For customers already utilizing AD FS, the transition to new features will be relatively straightforward as much of the groundwork has been laid.
  • The speaker expresses optimism about guiding customers through their evolving security model journeys, emphasizing the importance of support during this transition.
Video description

With the release of vSphere 7, customers can now move beyond authentication mechanisms like SSO domain users, LDAP(S), and joining vCenter to their Active Directory domains. Identity Federation allows for us to leverage enterprise identity providers, like Microsoft Active Directory Federation Services (ADFS), to grant access to vSphere! Join Bill Hill (@virtual_bill) for this TAM Lab session where we walk through what this looks like and how our customers can leverage this in their environment.