In vSphere 6.5 the underlying operating system from the vCenter Server Appliance (vCSA) has been changed to VMwares PhotonOS. With the new OS, you can still join an Active Directory domain to comply with company policies, or if you want to use windows session authentication. Joining an Active Directory domain is included in the infrastructure node configuration which is part of the Platform Services Controller. Please verify standard AD requirements like time synchronization and naming prior to joining a domain.
If you want to log in with the "Windows session authentication" checkbox, you have to add the appliance running the Platform Services Controller (PSC) to the domain. For embedded deployments, join the appliance running both, the vCenter and the PSC to the domain.
Join AD Domain with the vSphere Web Client
- Open vSphere Web Client (https://[vcenter]/vsphere-client)
- Login as Single Sign-On Administrator or a user with global permissions.
- Navigate to Administration > Deployment > System Configuration
- Open Nodes and select the vCenter or external PSC
- Navigate to Manage > Settings > Advanced > Active Directory and click Join...
- Enter AD domain information
- Press OK
- You don't see the configured domain immediately, you have to reboot the Appliance.
Hint: You can reboot infrastructure nodes from the context menu
When the appliance is back online it is part of the Active Directory domain
Join AD Domain from the Command Line
- (optional) Enable SSH login
vSphere Web Client > Administration > Deployment > System Configuration > Nodes > Manage > Settings > Access
- Connect to the vCenter Server Appliance with SSH
- Activate the bash shell
Command> shell
- Use the domainjoin-cli tool to join the domain
# /opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]
- Reboot the appliance
# reboot
When the appliance is back online it is part of the Active Directory domain
Verify Domain Status
Verify domain status from the domain controller
Verify domain status with the vSphere Web Client
Verify domain status from vCSA command line:
# /opt/likewise/bin/domainjoin-cli query
Joining the VCSA to Active Directory is not required in order to use Windows Session Authentication. Did you find this in the documentation or a KB?
That's interesting. It never worked for me without joining the domain and it tells it as Prerequisites here.
You have to join the PSC to AD - not the vCenter Server. If you're running an embedded PSC well then by joining the machine (Windows or VCSA) to the domain you are also joining vCenter Server to the domain. But, if you're running an external PSC you don't need to also join the machine vCenter Server is running on. Does that make sense?
Yes, absolutely. I thought we were talking about embedded deployments.
I think that clarification at the top of the post that you are talking about an embedded deployment would be valuable. I didn't see anywhere that you were specifically talking about embedded.
I'Ve updated the post to distinct between embedded and external configuration.
Hi Adam
We are running vSphere 6.5U1C. Two external PSCs in each site with two Vcenter servers in each site.
Can you please verify we only need to add the PSCs to the domain only? I did both the vCSA and PSCs. Will this cause us any issues? Should I back out and set the vCSA back so it is not set up using Integrated source AD?
Pingback: How to add AD Authentication in vCenter 6.5 | Virten.net
Hi,
I have deployed two VCSAs with two exteranl PSCs, and when open VCSA01 in web client i can see only one VCSA and when i open web client for VCSA02, i can both VCSAs here. Did all troubleshoot but no luck logged a case with VMware still no solution.
There is a bug that matches this description. If you reboot VCSA01 it should fix the issue.
I am having an issue attempting to join a v U1 PSC to the domain,.
I get the following error:
Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309]
Client not found in Kerberos database
I am using a service account which I have checked exists and this is a brand new 2012 AD and a brand new v6.5 U1 PSC
I did have this problem when my account with which i was joining my PSC didn`t have the right domain. We have users with domain @company.com but the domain is @company.loc
I had this problem as well. Turns out I had to surround the username with ' as it had a special character in it.