How to Configure vRA's Embedded vRO to Allow Domain Account Login

Two years ago, I wrote a similar article around vCAC's embedded vCO but a lot has changed since then so those older steps no longer apply. This brief article will quickly walk you through the steps required to allow vRealize Automation 7.0/7.1/7.2's embedded vRealize Orchestrator to allow Active Directory Domain accounts login to the vRO Client.

 

Pre-Requisites

This article assumes the following:

  • vRealize Automation 7.0-7.2 is installed and configured (NOTE: This has not been tested with 7.3!)
  • vRealize Orchestrator (embedded) is configured to use vRealize Automation as Authentication source
  • At least one Active Directory domain has been configured in vRA (Administration -> Directories Management -> Directories)

Custom Group

custom_group.png

Although the vRA vIDM instance already contains a vcoadmins group by default with the This email address is being protected from spambots. You need JavaScript enabled to view it. account as a member, there is not an obvious way (that I've found) to modify the group membership. As a result of this, we must first create a new group that we can manage. This can be done as follows:

  1. Log in to vRA as a Tenant Admin (in this instances, we are using the cloudadmin account)
  2. Go to Administration -> Users & Groups -> Custom Groups; Click on + New to create a New Group (not shown)
  3. Give the group a name (here, we are using adminsvro) and optionally a Description
  4. Click Next

Custom Group - Members

custom_group_-_members.png

On the Members tab,
1. Use the Search box to search for and select the desired group members. In this case, I want:
2. Group Members

  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Domain This email address is being protected from spambots. You need JavaScript enabled to view it.

3. Click Finish when done

Update vRO Configuration

update_vro_configuration.png

  • Now, go to your vRO Control Center (NOTE: You may need to start the vco-configurator service on your vRA appliance if it is not already running)
  • Log in using root and the root password of your vRA appliance.
  • Click on the Configure Authentication Provider button
  • Set vsphere.local\adminsvro as the Admin group  (or the Custom Group you created in the earlier step)
  • Click Save Changes
  • Now restart your vRO Server Service

vRO Client Log In

vro_client_log_in.png

Launch the vRO Client and log in as a member of the group specified. In this case, I am using This email address is being protected from spambots. You need JavaScript enabled to view it.

Success!

success_.png

As you can see, I am now able to log in to the vRO Client with a Domain Account rather than only the This email address is being protected from spambots. You need JavaScript enabled to view it. account !!

Thanks to @SteveSchofield for prompting me to look into this!

Comments  

+1 #3 Eric OCallaghan 2017-06-07 22:43
When i try the same procedure with a vRA 7.3 tenant (ABC) and an external vRO 7.3 I get a 400 error. Any ideas?

Exception occurred. Details: Could not read document: Unexpected token (FIELD_NAME), expected END_OBJECT: expected closing END_OBJECT after type information and deserialized value at [Source: java.io.Pushbac kInputStream@6a 22a73a; line: 1, column: 613]; nested exception is com.fasterxml.j ackson.databind .JsonMappingExc eption: Unexpected token (FIELD_NAME), expected END_OBJECT: expected closing END_OBJECT after type information and deserialized value at [Source: java.io.Pushbac kInputStream@6a 22a73a; line: 1, column: 613]
0 #2 VAMSHI MEDA 2017-03-11 16:13
I have similar config with vRA 7.2 loadbalanced using the integrated vro. i am unable to change the authentication from the default tenant.

i get the error below when i tried to add a domain account as admins

Pivotal tc Runtime 3.2.0.RELEASE/8 .5.4.B.RELEASE - Error report
HTTP Status 400 -
type Status report
0 #1 burke 2016-10-28 17:27
Quoting Steve-Schofield2:
can you confirm you would need to update the Admin Group on both nodes? I'm running a medium install of vRA and using embedded vRO's, most things replicate, this appear didn't and I manually set it up.

I would expect that the authentication mechanism would need to be done manually on each node. At this time, I haven't spent any time with vRO 7.x in a cluster.

Search

Book Shelf

 
Experts Exchange

NUC Lab Kit

Below are my thoughts for a vSAN nuc lab. Since I already have cables, not including them here. I ordered (and received by Nov 30, 2016)
3 x nuc, 3 x 32GB Crucial mem, 3 x Toshiba NVMe drive, 3 x Startech USB to GB NIC, and 3 x Crucial 1TB SSD. I've also been very happy with my Cisco SG300-10 so I bought one more since my existing one only has one port available. Each of the items listed here are linked below - all were purchased using the provided links below.
single NIC (See this post for details on using the USB -> GB NIC item listed below

I stayed with the i5 for the power consumption and form factor vs. the i7 Skull Canyon ;)