Two years ago, I wrote a similar article around vCAC’s embedded vCO but a lot has changed since then so those older steps no longer apply. This brief article will quickly walk you through the steps required to allow vRealize Automation 7.0/7.1/7.2’s embedded vRealize Orchestrator to allow Active Directory Domain accounts login to the vRO Client.
This article assumes the following:
- vRealize Automation 7.0-7.2 is installed and configured (NOTE: This has not been tested with 7.3!)
- vRealize Orchestrator (embedded) is configured to use vRealize Automation as Authentication source
- At least one Active Directory domain has been configured in vRA (Administration -> Directories Management -> Directories)
Although the vRA vIDM instance already contains a vcoadmins group by default with the
email@example.com account as a member, there is not an obvious way (that I’ve found) to modify the group membership. As a result of this, we must first create a new group that we can manage. This can be done as follows:
- Log in to vRA as a Tenant Admin (in this instances, we are using the cloudadmin account)
- Go to Administration -> Users & Groups -> Custom Groups; Click on + New to create a New Group (not shown)
- Give the group a name (here, we are using adminsvro) and optionally a Description
- Click Next
Custom Group - Members
On the Members tab,
- Use the Search box to search for and select the desired group members. In this case, I want:
- Group Members
- Click Finish when done
Update vRO Configuration
- Now, go to your vRO Control Center (NOTE: You may need to start the vco-configurator service on your vRA appliance if it is not already running)
- Log in using root and the root password of your vRA appliance.
- Click on the Configure Authentication Provider button
- Set vsphere.local\adminsvro as the Admin group (or the Custom Group you created in the earlier step)
- Click Save Changes
- Now restart your vRO Server Service
vRO Client Log In
Launch the vRO Client and log in as a member of the group specified. In this case, I am using
As you can see, I am now able to log in to the vRO Client with a Domain Account rather than only the
firstname.lastname@example.org account !!
Thanks to @SteveSchofield for prompting me to look into this!