Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

vCenter 7 – Depreciation of IWA…

Every Friday we have an informal meeting with peoples from VMware PS: Architect, Sr Consultant and Consultant but also TAM and Project manager as well and today we spoke about the depreciation of IWA with vCenter 7 and so the necessity to move to AD FS for upcoming release :

Deprecation of Integrated Windows Authentication

Integrated Windows Authentication (IWA) is deprecated in vSphere 7.0 and will be removed in a future release. For more information, see VMware Knowledge Base article 78506

So we started to have look about how to move from IWA to AD FS and for this I deployed a brand new vCenter 7 on my own labs as many questions arise : How other applications will deal with this change (I mainly thought to Horizon and App Volumes Manager) but also could we still connect using the local vsphere.local domain. Spoiler : Yes it works for both (external apps and using local account)

Now let see how to configure this 🙂

First ensure you have added your AD FS root certificate in the vCenter trust store

Secondly we need to retrieve the URI from the vCenter :
Go to Menu \ Administration then Single Sign On \ Configuration
Click the “i” right to “Change Identity Provider” and copy / past information or keep this page open

Now go to you ADFS server, open the AD FS Console and after doing a “right click” on Application Group, select “Add Application Group…

Select “Server application accessing a web API”

Copy and past in Notepad the “Client Identifier
Copy and past both URI from the vCenter to “Redirect URI

Click “Generate a shared secret” and copy/past the secret to Notepad

Type a name and past the Identifier you copied to Notepad few steps before:

Select “Permit Everyone

Check “allatclaims” and verify “openid” is already checked

Control every thing is ok and click Next to complete the wizard

Now we have few change to perform so vCenter will be able to understand what is sent to him and so authenticate your users:
Right click on your vCenter application group and select “Properties

Select the Web-API and click Edit
Select tap “Insuance Transform Rules
Click “Add Rules

Give a name like “AD Group with Qualified Long Name
Select “Active Directory” as Attribute Store
Select “Token-Groups – Qualified by Long Domain Name” as LDAP Attribute
Select “Group” as Outgoing Claim Type
Click OK

Add another rule :
Give a name like “Subject Claim
Select “Active Directory” as Attribute Store
Select “User-Principal-Name” as LDAP Attribute
Select “Name ID” as Outgoing Claim Type
Click OK

And finally add a third rule :
Give a name like “User Principal Name
Select “Active Directory” as Attribute Store
Select “User-Principal-Name” as LDAP Attribute
Select “UPN” as Outgoing Claim Type
Click OK

That is for AD FS no let’s come back to your vCenter
Go to Menu \ Administration then Single Sign On \ Configuration
Click “Change Identity Manager

Select “Microsoft ADFS

Copy your “Client Identifier” from AD FS
Copy your “Shared secret” from AD FS
Specify the OpenID Address who should be : https://<federation_fqdn>/.well-known/openid-configuration

File information about the LDAP configuration

Check everything is fine and click Finish

Now go to Menu \ Administration then Single Sign On \ Users and Groups \ Groups
Click “Add” to add a group
Give a name to your group
In Add Members, select “Microsoft ADFS
Type the first letters of the group, it should find it
Click “Add

Now go to Menu \ Administration then Access Control \ Global Permissions
Click “+
Select Microsoft ADFS in “Domain”
Select your group in “User / Group”
Select the role you want to set for this group

You can log in using your AD FS Account 🙂

As I wrote before : no issue with Horizon :

Or with App Volumes

You may also like...

Leave a Reply

Your email address will not be published.