As you may already know, after deployment of NSX-T Manager, users are stuck with a single built-in admin user. This might be OK for a lab environment, but in any size of production deployment this is major limitation/problem. In order to have some sort of RBAC, NSX-T Manager requires usage of VMware Identity Manager (vIDM).
Although VMware’s documentation covers the topic, it is not absolutely clear, not detailed enough. So, I had to jump a lot from page to page to find the exact steps.
Knowing the specifics of vIDM, I had a couple of questions:
- In NSX-T 2.4 we have three NSX-T Managers, so which of those 3 need to communicate with vIDM?
- Is the VIP address of NSX-T Manager in play here?
To answer those questions I had to perform quite a bit of testing, and below you can find the step by step guide I came up with.
I am using the vIDM appliance in this example, and yeah, BTW, I will skip the Deployment of vIDM appliance itself, as I assume you have it done already. And even if not, it’s really straight forward. And I also assume you already have VIP configured for your NSX-T Managers
Attention animated GIFs below!
Integrating Active Directory and vIDM
OK first we need to make sure that vIDM can see users and groups in our AD.
- Log-in to the vIDM admin console, navigate to ‘Identity & Access Management’, click ‘Add Directory’ and select ‘Add Active Directory over LDAP/IWA’
- In ‘Add Directory’ window, we need to fill in some details:
- Directory Name: name of your AD domain.
- Select ‘Active Directory (integrated Windows Authentication)‘ option.
- Scroll down to ‘Join Domain Details’ section and fill in the required fields.
- In ‘Bind User Details’ provide the service account details which will be used for binding.
- Click ‘Save & Next’.
This process might take several minutes, during which you will see various messages about the the actions being taken. Once it is finished, you will need to configure some more settings.
- ‘Select the Domain‘ page will appear with your domain listed. Select it and click ‘Next’.
- On ‘Map User Attributes’ page, map vIDM attributes to corresponding AD attributes. There are four required attributes which need to be mapped, you need to make sure those are properly mapped. IMPORTANT: If any of the required attributes are not used in your AD setup, those need to be fixed or remapped to different existing attributes, otherwise the setup will fail. For example, in my lab setup, AD users doesn’t have email address set up, this created a problem and I had to use a PowerShell script to assign a fake email address to each user.
- On ‘Select the group you want to sync’ page, Click the green ‘+’, specify groups DN and click ‘Find Groups’. Once a number of groups is listed, either check the ‘Select All’ checkbox, or manually select the groups you want to sync. As I mentioned, I am running in a lab, so, in my case I decided to sync all groups in my AD.
- On ‘Select the Users you would like to sync’ page provide user DN and click next (I just used the same).
- On the ‘Review’ page, make sure the numbers add are correct. If something looks wrong review the errors below for troubleshooting. In most cases errors will be related to missing attributes. Once done click ‘Sync Directory’.
Create OAuth-client on vIDM for NSX-T and gather needed details.
Once AD is synced up we can proceed with OAuth client config on vIDM.
- In vIDM admin console navigate to Catalog>Settings>Remote App Access and click the green ‘Create Client‘ button.
- In ‘Create Client’ window, configure needed settings:
- Access Type: Service Client Token
- Client ID: Create your Client ID and save it in separate text file for future use. I used the DNS name for NSX-T manager VIP in this example. (nsxtvip01-OAuthClient)
- Expand ‘Advanced’ sub menu by clicking the black triangle icon
- Click ‘Generate Shared Secret’ and save the generated line to a separate text file for future use.
- In the next step we need to SSH to vIDM appliance to generate SSL Thumbprint. You will need vIDM ‘sshuser’ credentials to log in. These credentials are configured during vIDM appliance deployment. Once connected, execute the following commands.
- Become root:
sudo -s
- Change directory /usr/local/horizon/conf :
cd /usr/local/horizon/conf
- Generate SSL Thumbprint using the following command (replace the FQDN of vIDM with proper value):
openssl x509 -in <FQDN of vIDM host>_cert.pem -noout -sha256 -fingerprint
- Save the output of previous command to a text file.
- Become root:
Configure NSX-T to use vIDM
Now when we have all the details needed we can log into the NSX-T manager GUI and configure the vIDM integration.
- In NSX-T manager GUI, navigate to System>Users>Configuration and click Edit to configure vIDM integration.
- Do not enable the ‘External Load Balancer Integration’
- Enable ‘VMware Identity Manager Integration’.
- Fill in the FQDN of VIDM appliance.
- Fill in ‘OAuth client ID’ field with data we captured in one of previous steps.
- Fill in ‘OAuth Client Secret’. This is ‘Shared Secret’ thing we saved in one of previous steps.
- Fill in ‘SSL Thumbprint’ field we captured in our SSH session.
- And now the KEY IMPORTANT point. Fill in ‘NSX Appliance’ field with NSX-T Managers VIP FQDN
- Click ‘Save’.
Adding AD users to NSX-T
Well, if all went successful you should be able to add AD users to your NSX-T setup. Navigate to ‘System>Users>Roles Assignments’ click ‘Add‘, start typing Username or Group Name in ‘User/User Group Name’ field, and it should auto-populate itself. Select a Role you want to assign, like ‘Enterprise Admin’ and click ‘Save’.
Thats it, your can now use AD credentials to manage your NSX-T environment.
Caveats and disadvantages
One of the biggest disadvantages of such setup is the fact that all your AD users will need to use VIP FQDN to be able to log in. If they will try to connect to any of NSX-T managers directly they will get an error message.
Second disadvantage is the fact that integrating vIDM basically ‘hides’ the possibility to login with local admin user. But don’t worry, there is a workaround. All you need to do is to add ‘login.jsp?local=true‘ to the end of your NSX-T manager URL For example: https://<nsx-manager-ip-address>/login.jsp?local=true
Some additional words
I want to again point out that this setup is specific to NSX-T 2.4. Although I assume this will work same on future versions, I will try to keep and eye on things and will keep this article up to date if possible.
Special thanks to Jack (@jackcherkas) and Bill (@souhrada) for working with me on this topic including testing and reviewing.
Latest posts by Aram Avetisyan (see all)
- Make Youtube Videos About Technology? Why not… The Cross-Cloud Guy - October 7, 2021
- Automating (NSX-T) REST API using Ansible URI module - December 29, 2020
- Quick Reference: Create Security Policy with Firewall Rules using NSX-T Policy API - May 4, 2020
For NSX-T 2.5 the command to get the cert is:
openssl1 s_client -connect vidmhost.corp.local:443 /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin
Thanks for the writeup. It really is silly that they made this *require* VIDM to work. It’s nice that it can use VIDM for really complex identity management, but most of the time you just want it to do “check my password against this server”.
agree, vIDM in NSX-T is PITA, especially if you deploy small Production environment, because resilient vIDM requires 2 vIDM servers, external MS SQL server and a load balancer. I hope they will enabled basic LDAP integration in future, or may be a simple internal LDAP.
Yes, I agree a real PITA!!. Especially since LDAP integration is already there with the IDFW. Why can’t that same AD connection be used for NSX-T authentication?
I have problem on last step, connection does not come Up, dont know where to check for logs etc.
VMware Identity Manager Connection: Down
NSX-T 2.5.1
Any ideas?
Thanx
Unfortunately no ideas,
To be honest, I haven’t even managed to install 2.5.1 yet. One of the most important features for me is broken in it, namely the Transport node Profiles.(Issue 2481033) and the workaround provided by VMware is not really working for me as well. If you are running in a lab, i would recommend trying 2.5.0 and see if it works there. If you are in prod, i suggest opening ticket to VMware. IMHO the 2.5.1 release is one of those problematic ones VMware is having sometimes, so I will stick to 2.5.0 for now.
Aram and I re-tested vIDM integration with NSX-T 2.5.0 (not 2.5.1) and it works as expected, so suggest that you re-do the configuration (closely following the instructions above) or raise a SR with VMware since it potentially could be a bug with NSX-T 2.5.1.
I got it working (2.5.0) but only if I use one of Managers FQDN (or IP). Does not work if I try to set it up with VIP FQDN.
According to documentation you can not use feature “External Load Balancer Integration” if you have VIP set up on Manager.
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-EAAD1FBE-F750-4A5A-A3BF-92B1E7D016FE.html
Strange thing is that I can’t disable “External Load Balancer Integration” and even if I disable it, it enables automatically back after Save.
Bug or something??
This is in Lab environment, will try on Production and let you know.
Our setup is configured to use the NSX-T Manager VIP FQDN and External Load Balancer Integration is enabled. If we disable it then vIDM integration fails, the on/off toggle does seem to be a bit tempremental. Might be worth trying to delete the vIDM configuration and re-do it?
FYI:
After changing FQDN from Manager to VIP FQDP back and forth a few times, waiting patiently, double checked everything (it was set up correctly) it started to work also with VIP address…..
Thank you for your help.