Author : Michael A. Haines, Prasenjit Sarkar
There have been a few instances when I have been working with various customers that have asked me if NSX for vSphere Manager could work and was supported with multiple (3 in this particular case) Active Directory domains? Well, firstly it should be noted that the NSX for vSphere Manager is dependent on the vCenter Server SSO implementation, as we do not have any local AAA or local users beyond just administrator.
So the good news is we can and have tested supporting multiple Active Directory domains. Here you would use the Integrated Windows Authentication for trusted domains and use the Active Directory over the LDAPv3 protocol for non trusted Active Directory domains.
It is worth noting that large Active Directory environments can be somewhat problematic with this type of connection! But this brings up another interesting question! In the NSX for vSphere Manager Appliance UI, you can only set one Active Directory domain. So how do you set more than one as in the above case?
Well, you need to add the Identity Services as in the following example like LDAP / Active Directory Server from the SSO Configuration page -> Identity Sources.
Note that in vSphere v5.5 the Active Directory “Identity Source” is not added automatically. So you will need to add Active Directory as a source so you can authenticate with domain-based accounts. More information on adding Identity Sources can be found in the VMware vSphere 5.5 Documentation -> ESXi and vCenter Server 5.5 Documentation -> vSphere Security -> vSphere Authentication with vCenter Single Sign-On -> Configuring vCenter Single Sign-On (http://goo.gl/wjb9Gu)
Note: The above is the URL to the Identity Sources for vCenter Server with vCenter Single Sign-On Documentation.
Also see the following if when adding an Active Directory identity source in vCenter Server Single Sign-On v5.5 fails: (http://goo.gl/BQigF5)
Note: The above is the URL to VMware’s Knowledge base and in particular potential issues.