This article undertakes the previous article
Edit vcenter Single Sign-On Token Policy
Vcenter Single Sign-On token policy specifies the clock fault tolerance, number of renewals, and other token attributes. You can edit the vcenter single signon token policy to ensure that the token specification complies with your company's security standards.
Procedure
1. log on to the vsphere Web Client.
2. SelectManagement> Single Sign-on, and then selectConfiguration.
3. ClickPolicyTab, and then selectToken Policy.
The vsphere Web Client displays the current configuration settings. If you do not modify the default settings, vcenter Single Sign-On uses these settings.
4. Edit the token policy configuration parameters.
Option description
Clock Fault Tolerance vcenter Single Sign-On allows time difference between the client clock and the domain controller clock
In milliseconds ). If the time difference is greater than the specified value, vcenter Single Sign-On declares that the token does not exist.
Effect.
The maximum number of times a token can be renewed. After the maximum number of renewal attempts is exceeded, you need to use the new security token.
The maximum token delegate count can delegate the key owner token to services in the vsphere environment. Use a service with a delegate token
The entity execution service that provides the token. The token request specifies the delegateto identity.
The delegateto value can be a solution token or a reference to the solution token. This value can be specified
The number of times a single key owner token is granted.
The maximum life cycle of a registrant's token. the registrant's token only provides Identity Verification Based on the Token's possession. The registrant token can only be
Used in a single operation. The owner token does not verify the identity of the user or entity sending the request. This value specifies the life cycle value of the token before the owner token is re-released.
The maximum lifecycle of the key owner token. The key owner token provides authentication based on the security item embedded in the token. The accesskey owner token can be used for delegation. The client can obtain the key owner token and delegate the token to other entities. This token contains the Declaration used to identify the requester and the delegate. In the vsphere environment, the vcenter server obtains the delegated tokens on behalf of the user and uses them to perform operations. This value determines the lifecycle of the key owner token before it is marked as invalid.
5ClickOK.
Use vcenter Single Sign-on to identify the source of the vcenter Server
The identification source allows you to attach one or more fields to vcenter Single Sign-On. A domain is a repository of users and groups. It can be used by the vcenter Single Sign-On server for user authentication.
Identify sourceIs a collection of user and group data. User and group data are stored in Active Directory, OpenLDAP, or locally installed on a computer operating system with vcenter Single Sign-On. After installation, each instance of vcenter Single Sign-On has a Local Operating System ID source vpshere. Local. This identity source is the internal identity source of vcenter Single Sign-On.
Vcenter Single Sign-On administrators can create vcenter Single Sign-on users and groups.
Identifies the source type
Versions earlier than vcenter Server 5.1 Support Using Active Directory and local operating system users as user repositories. Therefore, the local operating system user can always perform authentication on the vcenter server system. Vcenter Server 5.1 and 5.5 use vcenter Single Sign-on for authentication.
Vcenter Single Sign-On 5.5 The following types of user repositories can be used as the identification Source,Only one default source is supported.
Active Directory version 2003 and later.Vcenter Single Sign-On only allows you to specify a single Active Directory domain as the identification source. This domain can contain subdomains or be the root domain of the forest. Active Directory (Integrated Windows Authentication) is displayed in vsphere Web Client ).
Active Directory over LDAP. Vcenter Single Sign-On supports multiple Active Directory over LDAP identity sources. This source type is included to be compatible with the vcenter Single Sign-On service that is included with vsphere 5.1. The vsphere Web Client displays Active Directory as the LDAP server.
Openldap version 2.4 and later.Vcenter Single Sign-On supports multiple OpenLDAP identity sources. OpenLDAP is displayed in vsphere Web Client.
Local Operating System User. The local operating system user is the local user of the operating system running the vcenter Single Sign-On server. The Local Operating System Identification source only exists in the basic vcenter Single Sign-On server deployment and is unavailable in the deployment with multiple vcenter single signon instances. Only one local operating system is allowed to identify the source. It is displayed as localos in vsphere Web Client.
Vcenter Single Sign-on system user.Each time you install vcenter Single Sign-On, a system identification source named vsphere. Local is created. Vsphere. Local is displayed in the vsphere Web Client.
Note:At any timeOnly one default domain exists. A user from a non-default domain must add a domain name (domain \ User) for authentication.
Set the default vcenter Single Sign-On domain
Procedure
1. log on to the vsphere Web client as [email protected] or another user with vcenter Single Sign-On administrator privileges.
2 browseManagement> Single Sign-On> Configuration.
3 InIdentify sourceTab, select an ID source, and then clickSet as default domainIcon. On the domain display screen, the default domain is displayed in the "Domain" Column (default ).
Add vcenter Single Sign-On Identification Source
You can log on to vcenter server only when you are in a domain that has been added as a vcenter Single Sign-On source. The vcenter Single Sign-On administrator can add an ID source from the vsphere Web Client.
The ID source can beLocal Active Directory (Windows Authentication integrated) domain, Or yesOpenldap Directory Service. To implement backward compatibility,Active Directory can also be used as an LDAP server.
Once installation is complete, the following default identifiers and users are available immediately:
All local operating system users of localos. These users can obtain the vcenter server permission. If you want to upgrade, these users who have obtained the permission will retain their permissions.
Vsphere. Local contains vcenter Single Sign-on internal users.
Procedure
1. log on to the vsphere Web client as [email protected] or another user with vcenter Single Sign-On administrator privileges.
2 browseManagement> Single Sign-On> Configuration.
3 InIdentify sourceTab, clickAdd ID SourceIcon.
4. Select the source identification type and enter the source identification settings.
5. If you configure Active Directory as the LDAP server or OpenLDAP identity source, clickTest connectionTo ensure that you can connect to the identity source.
6. ClickOK.
Note:When an identity source is added, all users can perform authentication, but only have no access permission. Users with the vcenter server modify. Permissions privilege can assign permissions to users or a group of users so that they can log on to the vcenter server. Later, I wrote back how to assign permissions to users.
Edit vcenter Single Sign-On Identity Source
Vsphere users are defined in the identity source. You can edit the details of the identity source associated with vcenter Single Sign-On.
Procedure
1. log on to the vsphere Web client as [email protected] or another user with vcenter Single Sign-On administrator privileges.
2 browseManagement> Single Sign-On> Configuration.
3. ClickIdentify sourceTab.
4. Right-click the ID source in the table and selectEdit ID Source.
5. Edit the ID source settings. The available options depend on the type of the source of the selected identity.
Option description
Active Directory (integrated with Windows Authentication) for local Active Directory implementation, use this option.
Active Directory as LDAP server this option can be used for backward compatibility. This requires you to specify the domain controller and other information.
Use this option for OpenLDAP identity source.
Localos can use this option to add a local operating system as the identification source. The system only prompts you to enter the name of the local operating system. If this option is selected, all users on the specified computer are visible to vcenter Single Sign-on, even if these users do not belong to other domains.
6. ClickTest connectionTo ensure that the source of the identity can be connected.
7. ClickOK.
This article from the "cloud computing nest" blog, please be sure to keep this source http://leegh.blog.51cto.com/8764149/1546626
Configuring vcenter Single Sign-on