Adding Active Directory Authentication to vRA7

vRA7 AD Domain Syncronisation
vRA7 AD Domain Syncronisation

Adding Active Directory Authentication to vRA7 is slightly different to vRA6 due to the VMware Identity Manager vIDM being used in vRA7.

First things first we should create some groups in Active Directory that map to roles in vRA, this is especially important if you want to pass any VMware exams as there are always questions on roles and being lazy and using a super user means you need to guess at these. Reference: VMware vRA7 Tenant Users

In each group you then add the users, the example shown below has the group BKDC_BGAdmins, which has a user added to it, this allows all user management to be done from Active Directory and not from vIDM, with this approach as users come and go from various roles the AD team can update the membership and not annoy the cloud admin every time.

Once you have your groups created in AD head back to vRA and log in as the ConfigurationAdmin user, head to Administration –> Directories Management.

Click the +Add Directory

Now you have the options (taken straight from VMware):

Active Directory over LDAP. Create this directory type if you plan to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector binds to Active Directory using simple bind authentication.

Active Directory, Integrated Windows Authentication. Create this directory type if you plan to connect to a multi-domain or multi-forest Active Directory environment. The connector binds to Active Directory using Integrated Windows Authentication.

You can also set SAMAcountName or UserPrincipleName. The difference here is:

SAMAccountName: Bking

UserPrincipalName: lab\bking or bking@lab.local

I will be using the UPN as I have two users with the same name.

I then enter my service account details, BaseDN and DN of the user.

BaseDN: This is the location vRA will search in AD, I am searching the OU called Users, but this could be an OU for Cloud etc.

UserDN: This is the DN of the service account I am using.

We now have our added domain:

We can now map the information on the users from AD to vRA, this can come in handy for advanced work flows in the future. For example the Manager in AD might have to approve my VM request in vRA.

Note: If this is a bit confusing to you (not having a Windows background) check out ADSI Edit on your AD server:

I have copied the Distinguished Name from ADSI Edit to the field shown here and selected all the needed groups (NOTE: In a real environment you would create an OU for all your cloud groups and users Production AD servers can have thousands of groups and we don’t want to sync them all).

We also select our Users to sync, again in my lab this is the same OU:

I also modified the Sync Frequency from here as the default is once per week:

The AD Domain that we specified above is now synced to the internal vIDM database, unlike SSO which used to query AD each time.