VMware vMA authentication methods November 28, 2012Posted by vbry21 in VCAP5-DCA, VMware Training.
Tags: vCAP-DCA, vMA, VMware
As part of the preparation for the VCAP5-DCA exam and also as part of teaching the VMware vSphere Optimize and Scale course I’ve been looking at managing an ESXi host and vCenter through VMware’s vMA (vSphere Management Assistant).
The command structure can become quite tedious.
For example to list network cards without using an authentication method would be as follows.
vicfg-nics –server esxi01a.qavdc.com –username root –password P@ssw0rd -l
However the VMA does support vMA Authentication.
The vMA authentication interface enables users and applications to authenticate with the target servers by using vi-fastpass or Active Directory (AD). While adding a server as a target, the administrator can determine whether the target must use vi-fastpass or AD authentication. For vi- fastpass authentication, the credentials that a user has on the vCenter Server system or ESXi host are stored in a local credential store. For AD authentication, the user is authenticated with an AD server.
When you add an ESXi host as a fastpass target server, vi-fastpass creates two users with obfuscated passwords on the target server and stores the password information on vMA:
vi-admin with administrator privileges
vi-user with read-only privileges
The creation of vi-admin and vi-user does not apply for AD authentication targets. When you add a system as an AD target, vMA does not store information about the credentials. To use the AD authentication, the administrator must configure vMA for AD.
Configure vMA for Active Directory authentication so that ESXi hosts and vCenter Server systems added to Active Directory can be added to vMA. Joining the vMA to Active Directory prevents you from having to store the passwords in the vMA credential store. This approach is a more secure way of adding targets to vMA.
Ensure that the DNS server configured for vMA is the same as the DNS server of the domain. You can change the DNS server by using the vMA Console to the Web UI.
Ensure that the domain is accessible from vMA. Ensure that you can ping the ESXi and vCenter Server systems that you want to add to vMA. Ensure also that pinging resolves the IP address to the target servers domain.
To add vMA to a domain:
From the vMA console, run the following command:
sudo domainjoin-cli join <domain_name> <domain_admin_user>
When prompted, provide the Active Directory administrator’s password.
For further information read, VMware’s vMA product documentation.