Every Friday we have an informal meeting with peoples from VMware PS: Architect, Sr Consultant and Consultant but also TAM and Project manager as well and today we spoke about the depreciation of IWA with vCenter 7 and so the necessity to move to AD FS for upcoming release :
Deprecation of Integrated Windows Authentication
Integrated Windows Authentication (IWA) is deprecated in vSphere 7.0 and will be removed in a future release. For more information, see VMware Knowledge Base article 78506
So we started to have look about how to move from IWA to AD FS and for this I deployed a brand new vCenter 7 on my own labs as many questions arise : How other applications will deal with this change (I mainly thought to Horizon and App Volumes Manager) but also could we still connect using the local vsphere.local domain. Spoiler : Yes it works for both (external apps and using local account)
Now let see how to configure this 🙂
First ensure you have added your AD FS root certificate in the vCenter trust store
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image.png)
Secondly we need to retrieve the URI from the vCenter :
Go to Menu \ Administration then Single Sign On \ Configuration
Click the “i” right to “Change Identity Provider” and copy / past information or keep this page open
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-1.png)
Now go to you ADFS server, open the AD FS Console and after doing a “right click” on Application Group, select “Add Application Group…“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-2.png)
Select “Server application accessing a web API”
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-3.png)
Copy and past in Notepad the “Client Identifier“
Copy and past both URI from the vCenter to “Redirect URI“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-4.png)
Click “Generate a shared secret” and copy/past the secret to Notepad
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-5.png)
Type a name and past the Identifier you copied to Notepad few steps before:
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-6.png)
Select “Permit Everyone“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-7.png)
Check “allatclaims” and verify “openid” is already checked
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-8.png)
Control every thing is ok and click Next to complete the wizard
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-9.png)
Now we have few change to perform so vCenter will be able to understand what is sent to him and so authenticate your users:
Right click on your vCenter application group and select “Properties“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-10.png)
Select the Web-API and click Edit
Select tap “Insuance Transform Rules“
Click “Add Rules“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-11.png)
Give a name like “AD Group with Qualified Long Name“
Select “Active Directory” as Attribute Store
Select “Token-Groups – Qualified by Long Domain Name” as LDAP Attribute
Select “Group” as Outgoing Claim Type
Click OK
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-12.png)
Add another rule :
Give a name like “Subject Claim“
Select “Active Directory” as Attribute Store
Select “User-Principal-Name” as LDAP Attribute
Select “Name ID” as Outgoing Claim Type
Click OK
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-13.png)
And finally add a third rule :
Give a name like “User Principal Name“
Select “Active Directory” as Attribute Store
Select “User-Principal-Name” as LDAP Attribute
Select “UPN” as Outgoing Claim Type
Click OK
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-14.png)
That is for AD FS no let’s come back to your vCenter
Go to Menu \ Administration then Single Sign On \ Configuration
Click “Change Identity Manager“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-15-1024x245.png)
Select “Microsoft ADFS“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-16.png)
Copy your “Client Identifier” from AD FS
Copy your “Shared secret” from AD FS
Specify the OpenID Address who should be : https://<federation_fqdn>/.well-known/openid-configuration
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-18.png)
File information about the LDAP configuration
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-19-1024x632.png)
Check everything is fine and click Finish
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-20-1024x632.png)
Now go to Menu \ Administration then Single Sign On \ Users and Groups \ Groups
Click “Add” to add a group
Give a name to your group
In Add Members, select “Microsoft ADFS“
Type the first letters of the group, it should find it
Click “Add“
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-21.png)
Now go to Menu \ Administration then Access Control \ Global Permissions
Click “+“
Select Microsoft ADFS in “Domain”
Select your group in “User / Group”
Select the role you want to set for this group
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-23.png)
You can log in using your AD FS Account 🙂
As I wrote before : no issue with Horizon :
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-24-1024x122.png)
Or with App Volumes
![](https://my-virt.alfadir.net/wp-content/uploads/2021/01/image-25.png)
Recent Comments