Console
    Contact Us Start free

    Configuring authentication using Active Directory

    You can configure vCenter and NSX in Google Cloud VMware Engine to use your on-premises Active Directory as an LDAP or LDAPS identity source for user authentication. Once setup is complete, you can provide access to vCenter and NSX Manager and assign required roles for managing your private cloud.

    Before you begin

    The steps in this document assume that you first do the following:

    The following table lists the information you need when setting up your on-premises Active Directory domain as an SSO identity source on vCenter and NSX. Gather the following information before setting up SSO identity sources:

    Information Description
    Base DN for users The base distinguished name for users.
    Domain name The FQDN of the domain, for example, example.com . Don't provide an IP address in this field.
    Domain alias The domain NetBIOS name. If you use SSPI authentication, add the NetBIOS name of the Active Directory domain as an alias of the identity source.
    Base DN for groups The base distinguished name for groups.
    Primary server URL

    The primary domain controller LDAP server for the domain.

    Use the format ldap://hostname:port or ldaps://hostname:port . The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.

    A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.
    Secondary server URL The address of a secondary domain controller LDAP server that is used for failover.
    Choose certificate To use LDAPS with your Active Directory LDAP server or OpenLDAP server identity source, click the Choose certificate button that appears after you type ldaps:// in the URL field. A secondary server URL isn't required.
    Username The ID of a user in the domain who has a minimum of read-only access to the base DN for users and groups.
    Password The password of the user who is specified by Username .

    Add an identity source on vCenter

    1. Sign in to the vCenter for your private cloud using a solution user account .
    2. Select Home  > Administration.
    3. Select Single Sign On  > Configuration.
    4. Open the Identity Sourcestab and click +Addto add a new identity source.
    5. Select Active Directory as an LDAP Server, and click Next.
    6. Specify the identity source parameters for your environment, and click Next.
    7. Review the settings, and click Finish.

    Add an identity source on NSX

    1. Sign in to NSX Manager in your private cloud.
    2. Go to System  > Settings  > Users and Roles  > LDAP.
    3. Click Add identity source.
    4. In the Namefield, enter a display name for the identity source.
    5. Specify the Domain Nameand Base DNof your identity source.
    6. In the Typecolumn, select Active Directory over LDAP.
    7. In the LDAP Serverscolumn, click Set.
    8. In the Set LDAP Serverwindow, click Add LDAP Server.
    9. Specify the LDAP server parameters and click Check statusto verify the connection from NSX manager to your LDAP server.
    10. Click Addto add the LDAP server.
    11. Click Applyand then click Save.

    Ports required for using on-premises Active Directory as an identity source

    The ports listed in the following table are required to configure your on-premises Active Directory as an identity source on the private cloud vCenter.

    Port Source Destination Purpose
    53 (UDP)
    		 Private cloud DNS servers On-premises DNS servers Required for forwarding DNS lookup of on-premises Active Directory domain names from a private cloud vCenter server to an on-premises DNS server.
    389 (TCP/UDP)
    		 Private cloud management network On-premises Active Directory domain controllers Required for LDAP communication from a private cloud vCenter server to Active Directory domain controllers for user authentication.
    636 (TCP)
    		 Private cloud management network On-premises Active Directory domain controllers Required for secure LDAP (LDAPS) communication from a private cloud vCenter server to Active Directory domain controllers for user authentication.
    3268 (TCP)
    		 Private cloud management network On-premises Active Directory global catalog servers Required for LDAP communication in multi-domain controller deployments.
    3269 (TCP)
    		 Private cloud management network On-premises Active Directory global catalog servers Required for LDAPS communication in multi-domain controller deployments.
    8000 (TCP)
    		 Private cloud management network On-premises network Required for vMotion of virtual machines from the private cloud network to the on-premises network.

    What's next

    For more information about SSO identity sources, see the following vSphere and NSX Data Center documentation:
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: