How To Configure vCAC's Embedded vCO To Allow Domain Account Login

If you're reading this article, it may be because you have installed vCloud Automation Center (vCAC) and are interested in using an account other than This email address is being protected from spambots. You need JavaScript enabled to view it. to login to the embedded vCenter Orchestrator (vCO) server. By default, the vCO Server uses a "vcoadmins" group in the "vsphere.local" domain provided by the SSO server that vCAC was configured to use. This short tutorial will step you through a pretty basic configuration where I have just deployed a vCAC 6.x appliance and wish to use my domain account for vCO login.
NOTE: Article updated Jan 26, 2015

 Prepare Active Directory

This article assumes the use of Active Directory since we are attempting to allow a Domain account to login to the vCO client. As such, we need a group for our vCO Administrators.

  • Create a vCO Administrators group (vcoadministrators for example) in Active Directory
  • Add domain accounts that you wish to allow them to login to vCO

Once an AD Group has been defined for this use, that group needs to be added to your SSO server's This email address is being protected from spambots. You need JavaScript enabled to view it. group.

Login To vSphere Web Client using your SSO admin account (by default this will be This email address is being protected from spambots. You need JavaScript enabled to view it.)

  • Click the Administration link
  • Under "Single Sign-On", click Configuration
  • In the middle pane, click the "Identity Sources" tab and confirm your domain containing the group you created has been added. If it is not there, add it
  • Under "Single Sign-On", click Users and Groups
  • In the middle pane, click the "Groups" tab and select the "vcoadmins" group (Note: The center column of the groups table should show that the group comes from vsphere.local)
  • In the bottom pane, click the "Add Member" icon (blue person with green + next to it)
  • In the "Add Principals" pop-up window, select your domain added earlier
  • For Users and Group, locate and select your "vcoadministrators" group created at the beginning of this article
  • Click the Add button, then click OK

Now Restart the Orchestrator Server Service

restart_vcenter_orchestrator_server_service.png

Now that you have reconfigured the group for your vCO Administrators, you must restart the vCO Server Service in order for the changes to be applied:

  1. Click the "Startup Options" tab on the left
  2. Click the "Restart service" link on the right
  3. After a few moments, the "Server is restarted" message should appear on the page

Wait another two minutes or so before attempting to login using your vCO Client

Login to vCO Client Using Domain Account

login_to_vco_client_using_domain_account.png

As you can see above, I am now able to login to my vCAC embedded vCO Server using my domain credentials!

Comments  

0 # Ian 2015-02-02 22:54
How do i get onto the SSO of the identity appliance to change these settings? I have a Identity appliance and CAFE for vCAC 6.0. I tried going to port 9443 and digging around 5480 and feel like I'm missing something. This is a separate SSO than my vCenters that I call to do things in. My vCO is pointed at my identity appliance for vCAC. What am I missing here?
0 # burke 2015-01-26 15:49
Quoting JP:
Is that recommended? I have been doing this for quite some time now, but when I noticed this prevents the built-in user for CAFE to access the workflows in vCenter Orchestrator and thus I cannot utilize the Advanced Service Designer until I set the vCO admins group back to vcoadmins vsphere.local.

See error message:

WARN : com.vmware.vcac.platform.rest.RestTemplateIpv6 - GET request for "https://tstctavcacapp01.iteclientsys.local:8281/vco/api/users" resulted in 401 ([0002]User 'cafe-2fa85d24-57e0-4035-a578-9f8b355018e5@vsphere.local' is not authorized!); invoking error handler

Hmm, good catch - I hadn't run into that during the writing of this original article. I have just updated the article to use a more supported method that should not interfere with the cafe user account.
0 # JP 2015-01-21 00:21
Is that recommended? I have been doing this for quite some time now, but when I noticed this prevents the built-in user for CAFE to access the workflows in vCenter Orchestrator and thus I cannot utilize the Advanced Service Designer until I set the vCO admins group back to vcoadmins vsphere.local.

See error message:

WARN : com.vmware.vcac .platform.rest. RestTemplateIpv 6 - GET request for "https://tstcta vcacapp01.itecl ientsys.local:8 281/vco/api/use rs" resulted in 401 ([0002]User 'cafe-2fa85d24-57e0-4035-a578-9f8b355018e5@vsphere.local' is not authorized!); invoking error handler
0 # Jiju 2014-11-17 16:33
Make sure you add the identity store to the default tenant[vsphere. local] then you should be able to see the AD users and groups in the drop down.
0 # Swaroop 2014-11-07 12:08
Hi, I am facing the same issue as Chris. We have added our domain in the SSO Appliance, no luck though. We want a particular AD group to login to vCO for some purpose. We are using LDAP Authentication mode (Active Directory). We have entered correct details in User and Group search as well. The Search option next to the vCO Admin Group resolves the Group Name. When I test the login of users who are under that group, login fails throwing an error "Cannot find user "xxxxx". user unknown". I am completely clueless about this. Hope to hear your views on this issue.

Cheers!!
0 # razroel 2014-06-05 12:18
Hi Burke,

Just quick note regarding the vCAC configuration, it's not enough just to set the Active Directory via SSO Appliance, you need to add the native Active Directory to the default tenant in the vCAC tenant management.
0 # burke 2014-04-23 14:58
Quoting Chris B:
Hi, we have the sso appliance configuerd and setup to talk to our domain. However, when I go to authentication on the config page and to the dropdown, I only see "vsphere.local" domain groups. There are none that begin with our internal domain.

Any ideas?

thanks!

It sounds to me like you did not configure your domain in your SSO appliance.... That must be done in order for vCO see your domain groups via SSO.
0 # Chris B 2014-04-23 14:55
Hi, we have the sso appliance configuerd and setup to talk to our domain. However, when I go to authentication on the config page and to the dropdown, I only see "vsphere.local" domain groups. There are none that begin with our internal domain.

Any ideas?

thanks!

NUC Lab Kit

Below are my thoughts for a vSAN nuc lab. Since I already have cables, not including them here. I ordered (and received by Nov 30, 2016)
3 x nuc, 3 x 32GB Crucial mem, 3 x Toshiba NVMe drive, 3 x Startech USB to GB NIC, and 3 x Crucial 1TB SSD. I've also been very happy with my Cisco SG300-10 so I bought one more since my existing one only has one port available. Each of the items listed here are linked below - all were purchased using the provided links below.
single NIC (See this post for details on using the USB -> GB NIC item listed below

I stayed with the i5 for the power consumption and form factor vs. the i7 Skull Canyon ;)

 

Search

Experts Exchange