Configuring authentication using Active Directory
You can configure vCenter and NSX-T in Google Cloud VMware Engine to use your on-premises Active Directory as an LDAP identity source for user authentication. Once setup is complete, you can provide access to vCenter and NSX-T Manager and assign required roles for managing your private cloud.
Before you begin
The steps in this document assume that you first do the following:
- Establish connectivity from your on-premises network to your private cloud
- Enable DNS name resolution of your on-premises Active Directory:
- For Legacy VMware Engine Networks: Enable DNS name resolution of your on-premises Active Directory by creating DNS forwarding rules in your private cloud.
- For Standard VMware Engine Networks: Enable DNS name resolution of your on-premises Active Directory by configureing DNS bindings to your VMware Engine network.
The following table lists the information you need when setting up your on-premises Active Directory domain as an SSO identity source on vCenter and NSX-T. Gather the following information before setting up SSO identity sources:
|Base DN for users||The base distinguished name for users.|
|Domain name||The FQDN of the domain, for example,
|Domain alias||The domain NetBIOS name. If you use SSPI authentication, add the NetBIOS name of the Active Directory domain as an alias of the identity source.|
|Base DN for groups||The base distinguished name for groups.|
|Primary server URL||
The primary domain controller LDAP server for the domain.
Use the format
A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use
|Secondary server URL||The address of a secondary domain controller LDAP server that is used for failover.|
|Choose certificate||To use LDAPS with your Active Directory LDAP server or OpenLDAP server
identity source, click the Choose certificate button that appears
after you type
|Username||The ID of a user in the domain who has a minimum of read-only access to the base DN for users and groups.|
|Password||The password of the user who is specified by Username.|
Add an identity source on vCenter
- Elevate privileges on your private cloud.
- Sign in to the vCenter for your private cloud.
- Select Home > Administration.
- Select Single Sign On > Configuration.
- Open the Identity Sources tab and click +Add to add a new identity source.
- Select Active Directory as an LDAP Server, and click Next.
- Specify the identity source parameters for your environment, and click Next.
- Review the settings, and click Finish.
Add an identity source on NSX-T
- Sign in to NSX-T Manager in your private cloud.
- Go to System > Settings > Users and Roles > LDAP.
- Click Add identity source.
- In the Name field, enter a display name for the identity source.
- Specify the Domain Name and Base DN of your identity source.
- In the Type column, select Active Directory over LDAP.
- In the LDAP Servers column, click Set .
- In the Set LDAP Server window, click Add LDAP Server.
- Specify the LDAP server parameters and click Check status to verify the connection from NSX-T manager to your LDAP server.
- Click Add to add the LDAP server.
- Click Apply and then click Save.
Ports required for using on-premises Active Directory as an identity source
The ports listed in the following table are required to configure your on-premises Active Directory as an identity source on the private cloud vCenter.
|53 (UDP)||Private cloud DNS servers||On-premises DNS servers||Required for forwarding DNS lookup of on-premises Active Directory domain names from a private cloud vCenter server to an on-premises DNS server.|
|389 (TCP/UDP)||Private cloud management network||On-premises Active Directory domain controllers||Required for LDAP communication from a private cloud vCenter server to Active Directory domain controllers for user authentication.|
|636 (TCP)||Private cloud management network||On-premises Active Directory domain controllers||Required for secure LDAP (LDAPS) communication from a private cloud vCenter server to Active Directory domain controllers for user authentication.|
|3268 (TCP)||Private cloud management network||On-premises Active Directory global catalog servers||Required for LDAP communication in multi-domain controller deployments.|
|3269 (TCP)||Private cloud management network||On-premises Active Directory global catalog servers||Required for LDAPS communication in multi-domain controller deployments.|
|8000 (TCP)||Private cloud management network||On-premises network||Required for vMotion of virtual machines from the private cloud network to the on-premises network.|
For more information about SSO identity sources, see the following vSphere and NSX-T Data Center documentation: