To enable active directory authentication on ESX servers you need to do the following...


1. Ensure that it is currently disabled and config is clear before starting: 

/usr/sbin/esxcfg-auth --disablead

 

2. Confirm the AD kerberos firewall port is blocked:

/usr/sbin/esxcfg-firewall -q activeDirectorKerberos
Service activeDirectorKerberos is blocked.

 

3. Enable Active Directory Authentication:

/usr/sbin/esxcfg-auth --enablead --addomain=vmadmin.co.uk --addc=dc1.vmadmin.co.uk

 

4. Confirm the AD kerberos firewall port is open:

/usr/sbin/esxcfg-firewall -q activeDirectorKerberos
Service activeDirectorKerberos is enabled.

 

5. Add an AD username: 

/usr/sbin/useradd myaduser1

 

6. Now try logging into the ESX server on the console and via SSH.
It should allow you to use your active directory password for each AD user you added.

 

 

Checking the users on the ESX server:
getent passwd

 

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
vimuser:x:12:20:vimuser:/sbin:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
vpxuser:x:500:100:VMware VirtualCenter administration account:/home/vpxuser:/bin/false
myaduser1:x:501:501::/home/myaduser1:/bin/bash

 

 

Additionally in vSphere client, when the ESX host is selected and the configuration tab is selected. Under the Security Profile the "Active Director Kerberos" ports will show under outgoing connections.

 

 

 

Share this blog post on social media:

Social Links

Disclaimer

All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

Copyright ©2016 Andy Barnes - Please do not copy any content including images without prior consent!

Designed and Hosted by Andy Barnes