Active Directory Authentication – Accountability in ESX / ESXi 4.1
By Harley Stagner | Aug 03, 2010 | Insights, Virtualization
As a part of TBL professional services datacenter practice, I perform many health and security checks on virtual infrastructures for clients. One of the common issues that I run into is the use of the default “root” account for administering ESX servers. This is an issue for two reasons:
- The “root” account has a tremendous amount of power and the password for it is typically the same shared password on each ESX host.
- If all administration is done with the “root” account there is no audit trail for accountability. It could have been Joe, Bob, or Sue that logged into the ESX host. You just don’t know.
Of course, most administration should be done through vCenter, but you still occasionally need to log into an ESX host directly. The solution to this that I have recommended in the past has been to create local user accounts coinciding with the Active Directory user name on each ESX host. Then do not use root unless absolutely necessary when performing administrative tasks directly on the host. However, this meant that the IT Administrators would need to manage user accounts in Active Directory and the local accounts on the ESX / ESXi hosts.
There has been a “less than ideal” solution to Active Directory authentication for quite a while (see Scott Lowe’s article). However, this solution was very laborious, involves the command line, and only worked on ESX Classic. Not ESXi.
With the release of vSphere 4.1, native Active Directory authentication is one of the many new features. Here’s how easy it is to implement once you have ESX installed.
- Connect to your ESX/ESXi server with the vSphere Client.
- Click on “Inventory” and highlight your ESX/ESXi server.
- Click on the “Configuration” tab.
- Navigate to “Software –> Authentication Services”
- Click on “Properties” on the right hand side.
- Change the “Directory Service Type” from “Local Authentication” to “Active Directory”
- Once you do that and enter in your Domain, click “Join Domain” and you will be prompted for appropriate credentials to join the domain.
- Click “OK” when you are done.
That’s it! Now you can have accountability controlled through Active Directory Authentication. Joe, Bob, and Sue can all use their respective Active Directory accounts for authentication. Accountability!
Permissions can now be added for Active Directory users and groups as well.
You can even use it with the vSphere CLI and the Direct Console User Interface (DCUI) on ESXi.
Should you still need the local “root” account for emergencies, it will still be available to you. Otherwise, do your company a favor and maintain an audit trail for administrative actions on your infrastructure.