Posted by Chad King
I decided to tackle something a few days back that I finally figured out and I thought it would be a good idea to share it out as others seem to run into it from time to time. vCenter Orchestrator is something that is getting a lot more attention these days because of the automation it can bring to your VMware virtual environment. I won’t go into details about what it can do completely as there is plenty of that out there. I instead wanted to focus on it from a security stand point when working with Secure LDAP and using SSL. Now I most certainly want to say that there are probably some sources out there that may speak to this but many I have read and reviewed I have found lacking in some way for a better term. Some would defer to other articles which were even more vague. My only goal is to enable you to be able to effectively connect vCenter Orchestrator securely to your Microsoft Active Directory Services and be able to modify it.
What did it take?
Well here are some suggestions and key things to consider when standing this up.
- What accounts does VCO need?
- When using the Active Directory plug-in what level of further permissions is needed into active directory with the account making AD changes?
- What exactly do the VCO users do exactly and how do they work? (I would like VMware to detail this as current documentation is lacking)
- If using a Certificate Authority server what kind of certificate do I need to establish the SSL connection to a Domain Controller?
- How do I allow LDAPS on my Domain Controller?
- What Group Policy Configurations may be needed?
- Any other caveats to this?
Now I want to go through a standard process of setting up LDAP-SSL and designate specific points to outside sources for their contributions and help.
Enabling LDAP SSL Requirements
- Stand up a MS Certificate Authority Server (This is to line up with my scenario)
- Issue a Domain Certificate Template on the Certificate Authority specifically for LDAP-SSL. This can be the following noted here: I used the following Subject Name settings specifically Note: the name is just what I used to standardize LDAP SSL for the VCO design
On the root CA export the Root Certificate
- From the MS Root CA server:
- Go to Start > Run > Type MMC
- Go to File > Add/Remove Snap-in
- Add Certificates Click the “>” button
- Choose Local Host for connection
- Expand Certificates > Personal > Click Certificates
- In this repository you will find the Root CA Certificate. You will know this because the Certificate Template is a “Root Certicate”.
- Highlight the certificate and click All Tasks > Export > Next > Next (.DER) > Name and Save > Next > Finish
- Log into VCO and click the Network and then the SSL tab as shown:
- Go to the Import from file options:
- Click the search icon and browse to the location. Click Import. After importing you will the following:
- Common name will only show on VCO is you are using the common name as an option on the SSL certificate like I stated for the domain controller. Most CA Root Certificates import with no issue. I just like to know what certificates I have installed.
- Once you have deployed the LDAP SSL to your Domain Controllers (ALL OF THEM) you than import the root CA (same one the DC’s are signed by) you can now establish an SSL connection with the Domain Controllers
Note: You will have to check enable SSL on the LDAP and on the Active Directory Plug-ins. You will also have to ensure port 389 and 636 are opened between VCO and the Active Directory servers. If you have issues turn off any firewall to alleviate networking being an issue. If the connecting accounts have access and networking connectivity is not an issue you will wonderful green lights on everything.
Connecting with SSL Authentication and why it’s needed
At this point it’s clear this is somewhat straightforward but you need to note that missing any of these steps will result in a broken SSL connection to your domain controllers. By using a ROOT CA this makes things a lot easier. Usually I would just try deploying a trusted signed SSL to my appliance but in my case that feature of VCO was actually broken. The real use case behind this is being able to fully automate the Active Directory user creation. To be able to allow VCO to run an Active Directory workflow for creating an Enabled user requires LDAPS. You can create disabled users all day, but when it comes to making them enabled and modifying them you have be granted access. SSL with LDAP ensures this handshake with Active Directory is solid and that you can connect securely. However, this is only a small part of the puzzle. We will now cover the users.
At first you will need 3 users or 2. There are some things that are unclear noted in the following PDF paper from VMware: http://www.vmware.com/pdf/ad_plugin_10_users_guide.pdf
I will say that it is a good starting point for using Active Directory but note that you cannot do any real workflows without settings up SSL securely when working with Active Directory. VMware doesn’t really address this solid in my opinion and really there is a lot of fragmentation out there. Another good resource was this white paper as well: http://communities.vmware.com/docs/DOC-13959
I was still left with trying to figure some things out…
My suggestion when setting up the accounts
So in total from my standpoint when setting up VCO with AD (Active Directory) Access you will need 3 separate accounts.
- One for the LDAPS connection
- One for the primary connection to AD
- One for the “Shared” session for AD
My assumption is that VCO uses the following accounts for specific task and from a security standpoint it may not be ideal to use a single account for two functions especially when talking to AD. VCO essentially uses java to do fancy API calls to Active Directory. The LDAP Account specified in the LDAP configuration is used for authentication and connection for the LDAPS functions (though this is poorly documented by VMware it’s my assumption). The Accounts used in the AD Plug-in are beyond me from a purpose standpoint. I know for certain one is used for accessing AD and making changes but I am not sure about the point of the “Shared” session and what its implications are. I would like more visibility on this…
If you are having issues…
I would not be surprised if this happens to you… so I would recommend the following for troubleshooting:
So if your lights will not go green for connecting on SSL check the following:
- Trace your steps ensure you have the CA Root SSL on your VCO appliance
- Ensure you have the LDAP SSL deployed to your AD servers for LDAP auth.
- Ensure the VCO user account in LDAP is able to access and connect to AD. You can test by configuring SSL on the appliance and if you get all green lights that is a good sign connectivity it working.
- A second test could be to log on with the VCO user account and ensuring you browse AD.
- On the LDAP button there is a “test login” tab. Do a test login but ensure the user is a member of the group you specify in vCO admin group you set up VCO to point to for access.
- Make sure ports 389 and 636 are open from VCO to the LDAP servers (AD in this case)
- Upate 1: you can check for GPO signing as documented here: (This link tells you how to enable it but it is the same way to put it to no signing. Ideally GPO is best applied through a more granular means other then the default domain policy. You can create a specific GPO tied to a OU that contains your domain controllers and apply it there instead.)
So Chad, my appliance is connected on SSL but my workflows break dude… I get an error like this:
Unable to create a new user: InternalError: Failed to create user account… [LDAP: error code 50 – 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ] (Dynamic Script Module name : createUserWithPassword#6) (Dynamic Script Module name : createUserWithPassword#9)
This one can stink so my suggestion is the following:
- Make sure your VCO user accounts have proper permissions in Active Directory.
- You can do further testing (if you don’t have the ability to do the following) by using another LDAP tool like LDAP administrator. You can set it up exactly as you would VCO and even use the VCO service account to prove it.
- The easy way would be: Create a new user apart of no groups, Make it a domain admin only, Add it to the vco admin group, configure VCO for that account. (Note: Its important to ensure the VCO admin group is not restricted in any way through a delegation of permissions. I found this issue when someone else created the account and although it had domain permissions it was restricted)
Run your workflows after trying some of those and that should be able take care of you. One consideration I have to make clear is that the VCO accounts that access AD need to be set up with some sort of delegated permissions in their own group. Since you have to use two it would make since to have this group with delegated AD functions related to what the workflows need to be able to do. I do this today for specific use-case accounts in our environments. This is also known as Role Based Access Control (RBAC). I will cover that in another article but I want to bring some attention to VCO and some of my challenges with it. I hope this is helpful to someone out there.
Make it known:
- Click to share on Google+ (Opens in new window)
- Share on Facebook (Opens in new window)
- Click to share on Tumblr (Opens in new window)
- Click to share on Pinterest (Opens in new window)
- Click to share on Twitter (Opens in new window)
- Click to print (Opens in new window)
- Click to email (Opens in new window)
- Click to share on Reddit (Opens in new window)