Configuring authentication using Active Directory
You can configure vCenter and NSX-T in Google Cloud VMware Engine to use your on-premises Active Directory as an LDAP identity source for user authentication. Once setup is complete, you can provide access to vCenter and NSX-T Manager and assign required roles for managing your private cloud.
Before you begin
The steps in this document assume that you first do the following:
- Establish connectivity from your on-premises network to your private cloud
- Enable DNS name resolution of your on-premises Active Directory:
- For Legacy VMware Engine Networks: Enable DNS name resolution of your on-premises Active Directory by creating DNS forwarding rules in your private cloud.
- For Standard VMware Engine Networks: Enable DNS name resolution of your on-premises Active Directory by configureing DNS bindings to your VMware Engine network.
The following table lists the information you need when setting up your on-premises Active Directory domain as an SSO identity source on vCenter and NSX-T. Gather the following information before setting up SSO identity sources:
| Information | Description |
|---|---|
| Base DN for users | The base distinguished name for users. |
| Domain name | The FQDN of the domain, for example, example.com. Don't
provide an IP address in this field. |
| Domain alias | The domain NetBIOS name. If you use SSPI authentication, add the NetBIOS name of the Active Directory domain as an alias of the identity source. |
| Base DN for groups | The base distinguished name for groups. |
| Primary server URL |
The primary domain controller LDAP server for the domain. Use the format A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use |
| Secondary server URL | The address of a secondary domain controller LDAP server that is used for failover. |
| Choose certificate | To use LDAPS with your Active Directory LDAP server or OpenLDAP server
identity source, click the Choose certificate button that appears
after you type ldaps:// in the URL text box. A secondary
server URL isn't required. |
| Username | The ID of a user in the domain who has a minimum of read-only access to the base DN for users and groups. |
| Password | The password of the user who is specified by Username. |
Add an identity source on vCenter
- Elevate privileges on your private cloud.
- Sign in to the vCenter for your private cloud.
- Select Home > Administration.
- Select Single Sign On > Configuration.
- Open the Identity Sources tab and click +Add to add a new identity source.
- Select Active Directory as an LDAP Server, and click Next.
- Specify the identity source parameters for your environment, and click Next.
- Review the settings, and click Finish.
Add an identity source on NSX-T
- Sign in to NSX-T Manager in your private cloud.
- Go to System > Settings > Users and Roles > LDAP.
- Click Add identity source.
- In the Name field, enter a display name for the identity source.
- Specify the Domain Name and Base DN of your identity source.
- In the Type column, select Active Directory over LDAP.
- In the LDAP Servers column, click Set .
- In the Set LDAP Server window, click Add LDAP Server.
- Specify the LDAP server parameters and click Check status to verify the connection from NSX-T manager to your LDAP server.
- Click Add to add the LDAP server.
- Click Apply and then click Save.
Ports required for using on-premises Active Directory as an identity source
The ports listed in the following table are required to configure your on-premises Active Directory as an identity source on the private cloud vCenter.
| Port | Source | Destination | Purpose |
|---|---|---|---|
| 53 (UDP) | Private cloud DNS servers | On-premises DNS servers | Required for forwarding DNS lookup of on-premises Active Directory domain names from a private cloud vCenter server to an on-premises DNS server. |
| 389 (TCP/UDP) | Private cloud management network | On-premises Active Directory domain controllers | Required for LDAP communication from a private cloud vCenter server to Active Directory domain controllers for user authentication. |
| 636 (TCP) | Private cloud management network | On-premises Active Directory domain controllers | Required for secure LDAP (LDAPS) communication from a private cloud vCenter server to Active Directory domain controllers for user authentication. |
| 3268 (TCP) | Private cloud management network | On-premises Active Directory global catalog servers | Required for LDAP communication in multi-domain controller deployments. |
| 3269 (TCP) | Private cloud management network | On-premises Active Directory global catalog servers | Required for LDAPS communication in multi-domain controller deployments. |
| 8000 (TCP) | Private cloud management network | On-premises network | Required for vMotion of virtual machines from the private cloud network to the on-premises network. |
What's next
For more information about SSO identity sources, see the following vSphere and NSX-T Data Center documentation: