VMware vMA authentication methods November 28, 2012Posted by vbry21 in VCAP5-DCA, VMware Training.
Tags: vCAP-DCA, vMA, VMware
add a comment
As part of the preparation for the VCAP5-DCA exam and also as part of teaching the VMware vSphere Optimize and Scale course I’ve been looking at managing an ESXi host and vCenter through VMware’s vMA (vSphere Management Assistant).
The command structure can become quite tedious.
For example to list network cards without using an authentication method would be as follows.
vicfg-nics –server esxi01a.qavdc.com –username root –password P@ssw0rd -l
However the VMA does support vMA Authentication.
The vMA authentication interface enables users and applications to authenticate with the target servers by using vi-fastpass or Active Directory (AD). While adding a server as a target, the administrator can determine whether the target must use vi-fastpass or AD authentication. For vi- fastpass authentication, the credentials that a user has on the vCenter Server system or ESXi host are stored in a local credential store. For AD authentication, the user is authenticated with an AD server.
When you add an ESXi host as a fastpass target server, vi-fastpass creates two users with obfuscated passwords on the target server and stores the password information on vMA:
vi-admin with administrator privileges
vi-user with read-only privileges
The creation of vi-admin and vi-user does not apply for AD authentication targets. When you add a system as an AD target, vMA does not store information about the credentials. To use the AD authentication, the administrator must configure vMA for AD.
Configure vMA for Active Directory authentication so that ESXi hosts and vCenter Server systems added to Active Directory can be added to vMA. Joining the vMA to Active Directory prevents you from having to store the passwords in the vMA credential store. This approach is a more secure way of adding targets to vMA.
Ensure that the DNS server configured for vMA is the same as the DNS server of the domain. You can change the DNS server by using the vMA Console to the Web UI.
Ensure that the domain is accessible from vMA. Ensure that you can ping the ESXi and vCenter Server systems that you want to add to vMA. Ensure also that pinging resolves the IP address to the target servers domain.
To add vMA to a domain:
From the vMA console, run the following command:
sudo domainjoin-cli join <domain_name> <domain_admin_user>
When prompted, provide the Active Directory administrator’s password.
For further information read, VMware’s vMA product documentation.
Tags: vMA, VMware
add a comment
When using the vMA (VMware Management Assistant), in all the examples there’s a bit that says for example vicfg-vswitch <conn_options>, but what are these connection options, well they’re listed below
–cacertsfile Specifies the CA certificate file
–config Path to a configuration file
–credstore Name of credential store file
–encoding Specifies the encoding to use
–passthroughauth Use Microsoft Windows Security SSPI
–passthroughauthpackage Specify Domain-Level authentication protocol to be used
–password Log in password
–portnumber Uses specified port to connect
–protocol Uses specified protocol to connect
–savesessionfile Saves the session to the specified file
–server The ESXi or vCenter host
–sessionfile Uses the specified file to load a saved session
–url Connect to vSphere Web Services SDK URL
–username User name to log in to system
–vihost Name of ESXi host to run the command against
Phew quite a few connection options, generally you will probably use the following.
vicfg-vswitch –server vc01.qavdc.com –username administrator –password abcd1234 –vihost esxi01.qavdc.com –B both vSwitch0
The above connects to vc01 and sets CDP to both on esxi01 host to both for vSwitch0