To configure unattended authentication (authentication from vi-admin or root context) to Active Directory targets, you must renew the Kerberos tickets for the domain user using which the target is added. Unattended authentication is supported for ESXi 4.1 Update 3 and later.
Verify that the Active Directory is set up for unattended log in.
On any Windows Server 2003 computer that is part of the domain to which vMA is added, download and install the Ktpass tool from the Microsoft Web site.
1 | Open the command prompt and run the following command: ktpass /out foo.keytab /princ [email protected] /pass ca... /ptype KRB5_NT_PRINCIPAL -mapuser <vma-dc>\<foo> where, vma-dc is the name of the domain and foo is the user having permissions for the vCenter administration. |
2 | Move the foo.keytab file to /home/local/VMA-DC/foo. You can use WinSCP and log in as user vma-dc\foo to move the file. |
3 | (Optional) Make sure that the user vma-dc\foo on vMA owns the foo.keytab file by running the following commands: ls -l /home/local/VMA-DC/foo/foo.keytab chown ‘vma-dc\foo’ /home/local/VMA-DC/foo/foo.keytab where, vma-dc is the name of the domain and foo is the user having permissions for the vCenter administration. |
4 | On vMA, create a script in /etc/cron.hourly/kticket-renew with the following contents: #!/bin/shsu - vma-dc\\foo -c '/usr/bin/kinit -k -t /home/local/VMA-DC/foo/foo.keytab foo' where, vma-dc is the name of the domain and foo is the user having permissions for the vCenter administration. This script will renew the ticket for the user foo every hour. You can also add the script to a service in /etc/init.d to refresh the tickets when vMA is booted. |