Professional Documents
Culture Documents
Vsphere OSS 8 Lab 18
Vsphere OSS 8 Lab 18
Vsphere OSS 8 Lab 18
0
OPERATE, SCALE AND SECURE
Contents
Introduction ................................................................................................................................................ 3
Objectives.................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Lab Settings ................................................................................................................................................. 5
1 VMware Bravais Lab Simulation ......................................................................................................... 6
2 Join Active Directory Domain and Set an Identity Source .................................................................. 8
3 Verify Active Directory Accounts Exist .............................................................................................. 18
4 Verify that the studentadmin User can Log Into vCenter via Active Directory ................................ 22
5 Knowledge Check .............................................................................................................................. 23
Introduction
In this lab. you will use your local desktop web browser to run the VMware Bravais lab simulation and
the NDG lab environment.
The first section of this lab will be a simulation utilizing VMware Bravais labs to configure Identity
Federation to use Microsoft ADFS (Active Directory Federation Services).
The second section of this lab will utilize the NDG lab environment to verify a list of users in
ad.vclass.local. You will then verify that a user in active directory can successfully log in as an AD user.
Objectives
Lab Topology
Lab Settings
The information in the table below will be needed to complete the lab. The task sections beyond
provide details on the use of this information.
In this task, you will configure the ADFS identity source and add permissions to vCenter for a user from
the ADFS identity source. You will then log in to vCenter as the user authenticated from ADFS.
Do not perform the steps from this simulation in your actual lab environment.
Do not refresh, navigate away from, or minimize the browser tab hosting the
simulation. These actions might pause the simulation, and the simulation
might not progress.
Integrating Microsoft ADFS into a vSphere environment involves configuring ADFS as an identity
provider (IdP) for vSphere, allowing users to authenticate against their Active Directory (AD)
environment through ADFS and gain access to vSphere resources. Here is a high-level overview of the
steps involved:
• Set up ADFS: Install and configure ADFS in your environment, including setting up an ADFS farm
if desired for high availability and load balancing. Configure the necessary trust relationships
between ADFS and your AD environment.
• Configure vSphere: In vSphere, configure the SAML (Security Assertion Markup Language)
settings to enable SSO with ADFS. This involves specifying the ADFS server's metadata URL,
setting the desired authentication method, and configuring mapping rules to map AD attributes
to vSphere roles and permissions.
• Configure ADFS as an Identity Provider in vSphere: Create a new relying party trust (RPT) in
ADFS for vSphere, specifying the vSphere service provider's metadata URL. Configure the claims
rules in ADFS to send the appropriate AD attributes as SAML assertions to vSphere, based on
the mapping rules configured in vSphere.
• Test and validate: Test the SSO integration by logging in to vSphere using ADFS as the IdP, and
verify that users can authenticate against AD through ADFS and access vSphere resources based
on their AD permissions.
• Secure and monitor: Implement appropriate security measures, such as using SSL certificates
for secure communication, configuring logging and monitoring for ADFS and vSphere, and
regularly reviewing and updating the integration configuration to ensure security and
compliance.
Note: Detailed configuration steps may vary depending on the specific versions of ADFS and vSphere
being used, and the desired configuration options. It is recommended to refer to official
documentation and best practices from both Microsoft and VMware for specific guidance on
integrating ADFS with vSphere in your environment.
Do not perform the steps from this simulation in your actual lab environment.
Do not refresh, navigate away from, or minimize the browser tab hosting the
simulation. These actions might pause the simulation, and the simulation
might not progress.
3. After you complete the simulation, close the simulation browser tab. Navigate back to the NDG lab
environment.
In this task, you will use the NDG lab environment to utilize the techniques learned in the VMware
Bravais simulation lab. You will join sa-vcsa.vclass.local to the ad.vclass.local domain and set
ad.vclass.local as the default identity source.
2. Launch the sa-student Virtual Machine (VM) to access the graphical login screen.
To launch the console window for a VM, either click on the VM’s
graphic image from the topology page or click on the VM’s respective
tab from the navigation bar.
3. Launch the Mozilla Firefox web browser by either clicking on the icon shortcut found on the
bottom toolbar or by navigating to Start Menu > Internet > Firefox Web Browser.
If the VMware Getting Started web page does not load, please wait
an additional 3-5 minutes, and refresh the page to continue. This is
because the vCenter Server Appliance is still booting up and requires
extra time to initialize.
5. To log in to the vCenter Server Appliance, enter sysadmin@vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.
8. In the Configuration pane, select Identity Provider and click Active Directory Domain. Verify that
the sa-vcsa.vclass.local node is selected. Click JOIN AD.
9. In the Join Active Directory Domain window, enter ad.vclass.local for the Domain, administrator for the
Username, and NDGlabpass123! for the Password. Click JOIN.
For this lab, Active Directory has been preconfigured on the SA-AIO
machine.
10. Verify that sa-vcsa.vclass.local has successfully joined the ad.vclass.local AD. Click Acknowledge on
the popup dialog box.
11. Restart the vCenter Server Appliance using the vCenter Server Appliance Management Interface.
Port 5480 is the default port used to access the vCenter Server
Appliance Web User Interface. The VMware vCenter Server Appliance
Management Interface (VAMI) is used to perform administrative tasks
such as changing the host name, network configurations, applying
updates and patches.
b. In the Username field, type sysadmin@vclass.local and in the Password field, type
NDGlabpass123!. Click on LOGIN.
c. From the Actions dropdown menu in the top right corner, select Reboot.
12. Change focus back to the vSphere Client tab, and refresh the screen periodically until the vSphere
Client login page appears.
The reboot process takes 5 - 10 minutes to complete. During this time, the
vSphere Client is unavailable. You will not be able to add ad.vclass.local as an
identity source until the reboot process is complete.
13. Log in to the vCenter Server Appliance: enter sysadmin@vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.
16. In the Configuration pane, select Identity Provider and click Identity Sources. Notice that the
vclass.local and localos domains appear as identity sources.
18. In the Add Identity Source window, verify that Active Directory (Integrated Windows
Authentication) is selected. Verify that AD.VCLASS.LOCAL is listed as the Domain name. Ensure
that Use machine account it selected, and click ADD.
19. In the Identity Sources window, verify that AD.VCLASS.LOCAL is listed as an identity source. Select
the AD.VCLASS.LOCAL identity source, and click SET AS DEFAULT.
21. Leave the vSphere Client open, and continue to the next task.
In this task, you will view the list of AD users, and confirm that the studentadmin and cladmin single
sign-on accounts exist.
By regularly reviewing AD users in vCenter, administrators can help ensure that their virtual
environment is secure, compliant, and running efficiently, improving the reliability and performance of
their virtualized infrastructure.
2. In the navigation pane, navigate to Single Sign On > Users and Groups.
3. In the Users and Groups pane on the Users tab, verify that AD.VCLASS.LOCAL is selected from the
dropdown menu.
4. In the AD.VCLASS.LOCAL domain, you should see the studentadmin and cladmin users.
You may need to scroll through the Users window to verify that both
studentadmin and cladmin are listed.
5. In the Users and Groups pane, click the Groups tab. Select Administrators and click EDIT.
6. In the Edit Group window, for the Add Members dropdown menu, select ad.vclass.local. In the
search box, type student. Select studentadmin and click SAVE.
4 Verify that the studentadmin User can Log Into vCenter via Active Directory
In this task, you will verify that studentadmin@ad.vclass.local can successfully log in to vCenter as an
AD user.
1. Log in to the vCenter Server Appliance: enter studentadmin@ad.vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.
4. Navigate the vSphere Client to confirm that the studentadmin account can complete administrative
tasks.
5 Knowledge Check
In this task, you will configure the cladmin user account, and confirm the status of the group to which it
will be added.
1. Using the studentadmin account, assign the cladmin to the ReadOnlyUsers group
2. Log in to vCenter as the cladmin user
3. Navigate to the vSphere Client and confirm you are a read only user
4. Verify that you cannot shutdown the sa-esxi-02.vclass.local host
5. The lab is now complete; you may end your reservation.