NSX-T 2.4 Active Directory integration using vIDM

As you may already know, after deployment of NSX-T Manager, users are stuck with a single built-in admin user. This might be OK for a lab environment, but in any size of production deployment this is major limitation/problem. In order to have some sort of RBAC, NSX-T Manager requires usage of VMware Identity Manager (vIDM).

Although VMware’s documentation covers the topic, it is not absolutely clear, not detailed enough. So, I had to jump a lot from page to page to find the exact steps.

Knowing the specifics of vIDM, I had a couple of questions:

1. In NSX-T 2.4 we have three NSX-T Managers, so which of those 3 need to communicate with vIDM?
2. Is the VIP address of NSX-T Manager in play here?

To answer those questions I had to perform quite a bit of testing, and below you can find the step by step guide I came up with.

I am using the vIDM appliance in this example, and yeah, BTW, I will skip the Deployment of vIDM appliance itself, as I assume you have it done already. And even if not, it’s really straight forward. And I also assume you already have VIP configured for your NSX-T Managers

Attention animated GIFs below!

Integrating Active Directory and vIDM

OK first we need to make sure that vIDM can see users and groups in our AD.

1. Log-in to the vIDM admin console, navigate to ‘Identity & Access Management’, click ‘Add Directory’ and select ‘Add Active Directory over LDAP/IWA’
2. In ‘Add Directory’ window, we need to fill in some details:
   • Directory Name: name of your AD domain.
   • Select ‘Active Directory (integrated Windows Authentication)‘ option.
   • Scroll down to ‘Join Domain Details’ section and fill in the required fields.
   • In ‘Bind User Details’ provide the service account details which will be used for binding.
   • Click ‘Save & Next’.

This process might take several minutes, during which you will see various messages about the the actions being taken. Once it is finished, you will need to configure some more settings.

1. ‘Select the Domain‘ page will appear with your domain listed. Select it and click ‘Next’.
2. On ‘Map User Attributes’ page, map vIDM attributes to corresponding AD attributes. There are four required attributes which need to be mapped, you need to make sure those are properly mapped. IMPORTANT: If any of the required attributes are not used in your AD setup, those need to be fixed or remapped to different existing attributes, otherwise the setup will fail. For example, in my lab setup, AD users doesn’t have email address set up, this created a problem and I had to use a PowerShell script to assign a fake email address to each user.
3. On ‘Select the group you want to sync’ page, Click the green ‘+’, specify groups DN and click ‘Find Groups’. Once a number of groups is listed, either check the ‘Select All’ checkbox, or manually select the groups you want to sync. As I mentioned, I am running in a lab, so, in my case I decided to sync all groups in my AD.
4. On ‘Select the Users you would like to sync’ page provide user DN and click next (I just used the same).
5. On the ‘Review’ page, make sure the numbers add are correct. If something looks wrong review the errors below for troubleshooting. In most cases errors will be related to missing attributes. Once done click ‘Sync Directory’.

Create OAuth-client on vIDM for NSX-T and gather needed details.

Once AD is synced up we can proceed with OAuth client config on vIDM.

1. In vIDM admin console navigate to Catalog>Settings>Remote App Access and click the green ‘Create Client‘ button.
2. In ‘Create Client’ window, configure needed settings:
   • Access Type: Service Client Token
   • Client ID: Create your Client ID and save it in separate text file for future use. I used the DNS name for NSX-T manager VIP in this example. (nsxtvip01-OAuthClient)
   • Expand ‘Advanced’ sub menu by clicking the black triangle icon
   • Click ‘Generate Shared Secret’ and save the generated line to a separate text file for future use.
   • Remaining settings can use default values unless specific requirements need to be met. Click ‘Add’ once done.
3. In the next step we need to SSH to vIDM appliance to generate SSL Thumbprint. You will need vIDM ‘sshuser’ credentials to log in. These credentials are configured during vIDM appliance deployment. Once connected, execute the following commands.
   • Become root: sudo -s
   • Change directory /usr/local/horizon/conf : cd /usr/local/horizon/conf
   • Generate SSL Thumbprint using the following command (replace the FQDN of vIDM with proper value): openssl x509 -in <FQDN of vIDM host>_cert.pem -noout -sha256 -fingerprint
   • Save the output of previous command to a text file.

Configure NSX-T to use vIDM

Now when we have all the details needed we can log into the NSX-T manager GUI and configure the vIDM integration.

1. In NSX-T manager GUI, navigate to System>Users>Configuration and click Edit to configure vIDM integration.
2. Do not enable the ‘External Load Balancer Integration’
3. Enable ‘VMware Identity Manager Integration’.
4. Fill in the FQDN of VIDM appliance.
5. Fill in ‘OAuth client ID’ field with data we captured in one of previous steps.
6. Fill in ‘OAuth Client Secret’. This is ‘Shared Secret’ thing we saved in one of previous steps.
7. Fill in ‘SSL Thumbprint’ field we captured in our SSH session.
8. And now the KEY IMPORTANT point. Fill in ‘NSX Appliance’ field with NSX-T Managers VIP FQDN
9. Click ‘Save’.

Adding AD users to NSX-T

Well, if all went successful you should be able to add AD users to your NSX-T setup. Navigate to ‘System>Users>Roles Assignments’ click ‘Add‘, start typing Username or Group Name in ‘User/User Group Name’ field, and it should auto-populate itself. Select a Role you want to assign, like ‘Enterprise Admin’ and click ‘Save’.

Thats it, your can now use AD credentials to manage your NSX-T environment.

Caveats and disadvantages

One of the biggest disadvantages of such setup is the fact that all your AD users will need to use VIP FQDN to be able to log in. If they will try to connect to any of NSX-T managers directly they will get an error message.

Second disadvantage is the fact that integrating vIDM basically ‘hides’ the possibility to login with local admin user. But don’t worry, there is a workaround. All you need to do is to add ‘login.jsp?local=true‘ to the end of your NSX-T manager URL For example: https://<nsx-manager-ip-address>/login.jsp?local=true

Some additional words

I want to again point out that this setup is specific to NSX-T 2.4. Although I assume this will work same on future versions, I will try to keep and eye on things and will keep this article up to date if possible.

Special thanks to Jack (@jackcherkas) and Bill (@souhrada) for working with me on this topic including testing and reviewing.

The following two tabs change content below.

• Bio
• Latest Posts

Aram Avetisyan

Aram Avetisyan is an IT specialist with more than 18 years experience. He has rich background in various IT related fields like Cloud, Virtualization and SDN. He holds several industry level certifications including but not limited to VCIX-DCV, VCIX-NV. He is also a vEXPERT in years 2014-2021.

Latest posts by Aram Avetisyan (see all)

• Make Youtube Videos About Technology? Why not… The Cross-Cloud Guy - October 7, 2021
• Automating (NSX-T) REST API using Ansible URI module - December 29, 2020
• Quick Reference: Create Security Policy with Firewall Rules using NSX-T Policy API - May 4, 2020