Recently I needed to setup AD authentication with ESX 3.5 as part of a security hardening exercise which stated users other then root needed to authenticate against AD rather then using local passwords.
Off I went on my quest to enable this which brought me to this VMware document here. After browsing through it and thinking “That looks fairly simple” I went and run the following command on the ESX 3.5 service console
esxcfg-auth –enablead –addomain=demo.com –addc=virtualcenter.demo.com
useradd testuser (This creates a user account on the ESX server, don’t set password for this account)
I then launched a putty session and tried to login but I kept getting the error “access denied”, so I went and tailed the messages log using tail -f /var/log/messages and noticed the error “Time Skew to great” which told me this was a time issue.
I looked at the time on the ESX service console and it was within 30 seconds so I was a bit puzzled because in the past Ive read and experienced problems only if the time was skewed more then 10 minutes . After a heap of playing around I thought well ill set the ESX server to use the AD controller for time so I went and configured NTP and gave it another crack.
Success …. so from this another reminder to myself about just how important time is within an ESX cluster.
So the next think I wanted to test was if these steps where the same for Vsphere. After running the exact commands as shown above I can confirm the exact same steps also configure AD authentication with Vsphere.
Also just as a note, if you read one of my posts last week about the Vsphere installer (here) … you might have noticed that NTP can be configured during the install process which is really good to see because Ive lost count of the times Ive seen people forget to set this up post install. (Yes myself included)