Configure Unattended Authentication for Active Directory Targets

To configure unattended authentication (authentication from vi-admin or root context) to Active Directory targets, you must renew the Kerberos tickets for the domain user using which the target is added. Unattended authentication is supported for ESXi4.1 Update 3 and later. You must ensure that the Active Directory is set up for unattended log in.

To configure unattended authentication for Active Directory targets

1	On any Windows Server 2003 computer that is part of the domain to which vMA is added, download and install the Ktpass tool from the Microsoft web site.

2	Open the command prompt and run the following command:

ktpass /out foo.keytab /princ [email protected] /pass ca... /ptype KRB5_NT_PRINCIPAL -mapuser <vma-dc>\<foo>

where, <vma-dc> is the name of the domain and foo is the user having permissions for the vCenter administration.

This command creates a file called foo.keytab.

3	Move the foo.keytab file to /home/local/VMA-DC/foo.

You can use WinSCP and log in as user vma-dc\foo to move the file.

4	(Optional) Make sure that the user vma-dc\foo on vMA owns the foo.keytab file by using the following commands:

ls -l /home/local/VMA-DC/foo/foo.keytab

chown ‘vma-dc\foo’ /home/local/VMA-DC/foo/foo.keytab

5	On vMA, create a script in /etc/cron.hourly/kticket-renew with the following contents:

#!/bin/sh

su - vma-dc\\foo -c '/usr/bin/kinit -k -t /home/local/VMA-DC/foo/foo.keytab foo'

This script will renew the ticket for the user foo every hour.

You can also add the above script to a service in /etc/init.d to refresh the tickets when vMA is booted.

Troubleshooting Unattended Authentication

If you are not able to authenticate from vMA or cannot add vMA to the domain controller, verify the following conditions:

■	Your DNS server setup in vMA resolves the IP address or host name of the vCenter server to a fully qualified domain name (FQDN) and that the FQDN contains the domain name to which vMA is added.

■	The command vifp listservers shows the name of vCenter server as the FQDN that contains the domain name to which vMA is added as the suffix.

■	The date and time settings on vMA, the domain controller and the vCenter server are the same. Verify the time zone as well. The time may vary by an hour, but a large time skew might cause authentication problems.