vCloud Director 5.1 brings Single Sign On (SSO) functionality which simplifies the way users log in to the vCloud Director portal. There is some confusion with vCenter SSO so let me first state all the SSO options:
- When vCloud Director is integrated with vSphere Lookup Service (System > Administration > System Settings > Federation menu) then vCloud Administrators can use vCenter SSO for authentication. The login screen is replaced with vSphere Client login screen.
- The tenants can self configure SAML identity provider to enable SSO for their user access to the portal. This can be done by Organization Administrator in the Administration > Settings > Federation menu. Currently supported providers are OpenAM and Active Directory Federations Services (ADFS). This option is ideal for Public Clouds when there is no connectivity between vCloud Director cells and customers LDAP servers.
- The vCloud Administrator can enable Microsoft proprietary Security Support Provider Interface (SSPI) to simplify authentication with Active Directory for the organization users.
The third option is not documented in any way so i decided to research it and write down how to get it working.
Following diagram shows the authentication process:
Although in the diagram vCloud Director (VCD) does not talk directly to Active Directory server it is still necessary there is direct connectivity between the cells and AD servers, because group membership information is retrieved from AD by the cells. The client must be logged into the domain and use browser that enables integrated authentication. The client also has to use the same DNS server as the active directory. This implies that the SSPI authentication is valid only for private cloud use case.
Here are the steps to get it working:
- For given organization enable custom LDAP with kerberos authentication. Here is a nice detailed article how to do it.
- In AD create a group for the users and import it to vCloud Director and assign a vCloud Director role.
- Again on the AD server in Active Directory Users and Computer create a computer account for vCloud Director. I created account VCLOUD under Computers.
- Map this account to the Security Principal Name (SPI) which has following form: HTTP/<vCloud FQDN>@AD REALM. This can be done with setspn command from the AD server:
setspn -a HTTP/vcloud.fojta.com VCLOUD$
(note the $ character at the end of the Computer account)
- Now we need to export the encryption key used by the Kerberos token issuer to encrypt the token and upload it to vCloud Director. This can be done from command line (again on the AD server) with ktpass utility:
ktpass -princ HTTP/<VCD FQDN>@AD REALM -pass * -mapuser <computer account>$@domain -out HTTP.keytab -ptype KRB_NT_PRINCIPAL /crypto RC4-HMAC-NT
in my case I used:
ktpass -princ HTTP/vcloud.fojta.com@FOJTA.COM -pass * -mapuser VCLOUD$@FOJTA.COM -out VCLOUD.HTTP.keytab -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
type any password and confirm the reset.
- Now we need to take the created keytab file (VCLOUD.HTTP.keytab) and use it for the SSPI configuration. In the vCloud Director organization Custom LDAP configuration go to the SSPI section, enable it, enter the Service Principal Name from step #4 and upload the keytab file from step 5#.
- To get the single sign on experience some settings must be done in the client web browser:
- Internet Explorer: go to Internet Options, Security, Local intranet, Sites and add vCloud Director FQDN to the zone trusted sites. Then edit the security level for this zone by clicking Custom Level button and at the bottom of the list in User Authentication Logon section enable Automatic logon only in Intranet zone.
- Firefox: open about:config URL and search for network.negotiate and add vCloud Director FQDN to the network.negotiate-auth.trusted-uris.