How to Configure vRA's Embedded vRO to Allow Domain Account Login

Two years ago, I wrote a similar article around vCAC's embedded vCO but a lot has changed since then so those older steps no longer apply. This brief article will quickly walk you through the steps required to allow vRealize Automation 7.x's embedded vRealize Orchestrator to allow Active Directory Domain accounts login to the vRO Client.

 

Pre-Requisites

This articles assumes the following:

  • vRealize Automation 7.x is installed and configured
  • vRealize Orchestrator (embedded) is configured to use vRealize Automation as Authentication source
  • At least one Active Directory domain has been configured in vRA (Administration -> Directories Management -> Directories)

Custom Group

custom_group.png

Although the vRA vIDM instance already contains a vcoadmins group by default with the This email address is being protected from spambots. You need JavaScript enabled to view it. account as a member, there is not an obvious way (that I've found) to modify the group membership. As a result of this, we must first create a new group that we can manage. This can be done as follows:

  1. Log in to vRA as a Tenant Admin (in this instances, we are using the cloudadmin account)
  2. Go to Administration -> Users & Groups -> Custom Groups; Click on + New to create a New Group (not shown)
  3. Give the group a name (here, we are using adminsvro) and optionally a Description
  4. Click Next

Custom Group - Members

custom_group_-_members.png

On the Members tab,
1. Use the Search box to search for and select the desired group members. In this case, I want:
2. Group Members

  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Domain This email address is being protected from spambots. You need JavaScript enabled to view it.

3. Click Finish when done

Update vRO Configuration

update_vro_configuration.png

  • Now, go to your vRO Control Center (NOTE: You may need to start the vco-configurator service on your vRA appliance if it is not already running)
  • Log in using root and the root password of your vRA appliance.
  • Click on the Configure Authentication Provider button
  • Set vsphere.local\adminsvro as the Admin group  (or the Custom Group you created in the earlier step)
  • Click Save Changes
  • Now restart your vRO Server Service

vRO Client Log In

vro_client_log_in.png

Launch the vRO Client and log in as a member of the group specified. In this case, I am using This email address is being protected from spambots. You need JavaScript enabled to view it.

Success!

success_.png

As you can see, I am now able to log in to the vRO Client with a Domain Account rather than only the This email address is being protected from spambots. You need JavaScript enabled to view it. account !!

Thanks to @SteveSchofield for prompting me to look into this!

Comments  

0 #2 VAMSHI MEDA 2017-03-11 16:13
I have similar config with vRA 7.2 loadbalanced using the integrated vro. i am unable to change the authentication from the default tenant.

i get the error below when i tried to add a domain account as admins

Pivotal tc Runtime 3.2.0.RELEASE/8 .5.4.B.RELEASE - Error report
HTTP Status 400 -
type Status report
0 #1 burke 2016-10-28 17:27
Quoting Steve-Schofield2:
can you confirm you would need to update the Admin Group on both nodes? I'm running a medium install of vRA and using embedded vRO's, most things replicate, this appear didn't and I manually set it up.

I would expect that the authentication mechanism would need to be done manually on each node. At this time, I haven't spent any time with vRO 7.x in a cluster.

Search

Book Shelf

 
Experts Exchange

NUC Lab Kit

Below are my thoughts for a vSAN nuc lab. Since I already have cables, not including them here. I ordered (and received by Nov 30, 2016)
3 x nuc, 3 x 32GB Crucial mem, 3 x Toshiba NVMe drive, 3 x Startech USB to GB NIC, and 3 x Crucial 1TB SSD. I've also been very happy with my Cisco SG300-10 so I bought one more since my existing one only has one port available. Each of the items listed here are linked below - all were purchased using the provided links below.
single NIC (See this post for details on using the USB -> GB NIC item listed below

I stayed with the i5 for the power consumption and form factor vs. the i7 Skull Canyon ;)