Configuring authentication using Active Directory
You can configure vCenter and NSX in Google Cloud VMware Engine to use your on-premises Active Directory as an LDAP or LDAPS identity source for user authentication. Once setup is complete, you can provide access to vCenter and NSX Manager and assign required roles for managing your private cloud.
Before you begin
The steps in this document assume that you first do the following:
- Establish connectivity from your on-premises network to your private cloud
- Enable DNS name resolution of your on-premises Active Directory:
- For Legacy VMware Engine Networks: Enable DNS name resolution of your on-premises Active Directory by creating DNS forwarding rules in your private cloud.
- For Standard VMware Engine Networks: Enable DNS name resolution of your on-premises Active Directory by configuring DNS bindings to your VMware Engine network.
The following table lists the information you need when setting up your on-premises Active Directory domain as an SSO identity source on vCenter and NSX. Gather the following information before setting up SSO identity sources:
| Information | Description |
|---|---|
| Base DN for users | The base distinguished name for users. |
| Domain name | The FQDN of the domain, for example, example.com. Don't
provide an IP address in this field. |
| Domain alias | The domain NetBIOS name. If you use SSPI authentication, add the NetBIOS name of the Active Directory domain as an alias of the identity source. |
| Base DN for groups | The base distinguished name for groups. |
| Primary server URL |
The primary domain controller LDAP server for the domain. Use the format A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use |
| Secondary server URL | The address of a secondary domain controller LDAP server that is used for failover. |
| Choose certificate | To use LDAPS with your Active Directory LDAP server or OpenLDAP server
identity source, click the Choose certificate button that appears
after you type ldaps:// in the URL field. A secondary
server URL isn't required. |
| Username | The ID of a user in the domain who has a minimum of read-only access to the base DN for users and groups. |
| Password | The password of the user who is specified by Username. |
Add an identity source on vCenter
- Sign in to the vCenter for your private cloud using a solution user account.
- Select Home > Administration.
- Select Single Sign On > Configuration.
- Open the Identity Sources tab and click +Add to add a new identity source.
- Select Active Directory as an LDAP Server, and click Next.
- Specify the identity source parameters for your environment, and click Next.
- Review the settings, and click Finish.
Add an identity source on NSX
- Sign in to NSX Manager in your private cloud.
- Go to System > Settings > Users and Roles > LDAP.
- Click Add identity source.
- In the Name field, enter a display name for the identity source.
- Specify the Domain Name and Base DN of your identity source.
- In the Type column, select Active Directory over LDAP.
- In the LDAP Servers column, click Set .
- In the Set LDAP Server window, click Add LDAP Server.
- Specify the LDAP server parameters and click Check status to verify the connection from NSX manager to your LDAP server.
- Click Add to add the LDAP server.
- Click Apply and then click Save.
Ports required for using on-premises Active Directory as an identity source
The ports listed in the following table are required to configure your on-premises Active Directory as an identity source on the private cloud vCenter.
| Port | Source | Destination | Purpose |
|---|---|---|---|
| 53 (UDP) | Private cloud DNS servers | On-premises DNS servers | Required for forwarding DNS lookup of on-premises Active Directory domain names from a private cloud vCenter server to an on-premises DNS server. |
| 389 (TCP/UDP) | Private cloud management network | On-premises Active Directory domain controllers | Required for LDAP communication from a private cloud vCenter server to Active Directory domain controllers for user authentication. |
| 636 (TCP) | Private cloud management network | On-premises Active Directory domain controllers | Required for secure LDAP (LDAPS) communication from a private cloud vCenter server to Active Directory domain controllers for user authentication. |
| 3268 (TCP) | Private cloud management network | On-premises Active Directory global catalog servers | Required for LDAP communication in multi-domain controller deployments. |
| 3269 (TCP) | Private cloud management network | On-premises Active Directory global catalog servers | Required for LDAPS communication in multi-domain controller deployments. |
| 8000 (TCP) | Private cloud management network | On-premises network | Required for vMotion of virtual machines from the private cloud network to the on-premises network. |
What's next
For more information about SSO identity sources, see the following vSphere and NSX Data Center documentation: