After deployment, one thing I notice right away is a new section under the vSphere Web Client Administration interface. You can get to this by clicking Home->Administration. The image on the left is how the Administration section looked in vSphere 5.5, while the image on the right shows how it looks in vSphere 6.
Notice a new section under Administration called Deployment. This is where you manage your PSC. I stumbled on this when I attempted to add a new SSO Identity Source. When I selected the Active Directory (Integrated Windows Authentication) radio button, the client told me that I had not yet joined vCenter Single Sign-On to a domain, and provided me with a link to get there.
Clicking this link takes you straight to the Home->Administration->System Configuration section. One thing I noticed is that even though there is a field for Organizational Unit, this is not required if you want the Active Directory computer object for your PSC to be in the default Computers container. You can leave that field blank.
You won't receive much a confirmation message, but the task will show up in the Recent Tasks pane. You can also confirm whether or not it worked by checking AD for the PSC computer object. You'll need to completely restart the PSC after joining the domain. Before you go over to your vSphere client and reboot it, right-click on the PSC node name and select Reboot. A helpful warning message pops up letting you know exactly what the impact will be.
Once the reboot is done we can continue to configure vCenter Single Sign-On. Navigate to Home->Administration->Configuration (under Single Sign-On) and click the Identity Sources tab. When selecting the Active Directory (Integrated Windows Authentication) radio button, you'll see your AD domain name populated, and the "Use machine account" radio button selected. Click OK.
Simple. Now that we have an identity source, we can configure users and groups, which is also located under the Single Sign-On section of Home-Administration. You have a lot of options here, but I personally prefer to add AD admin groups or users to the built-in Administrators group. You'd do that by selecting the Groups tab, selecting Administrators, and clicking the icon in the Group Members section to edit the group membership. Use the domain drop down to select your AD domain and then search for the applicable users or groups to add. This is another great reason NOT to name the vCenter Single Sign-On domain the same as your AD domain.
No comments:
Post a Comment