• 08 Building Webster’s Lab – Additional vCenter Configuration

    September 18, 2019

    Blog, VMware

    Before getting to work adding Citrix Virtual Apps and Desktops (CVAD), Parallels RAS, and VMware Horizon to the lab, there are a few additional items on the to-do list for vCenter.

    1. Join vCenter to the lab’s Active Directory (AD) domain
    2. Add the lab’s AD to the SSO
    3. Create a Citrix related service account with minimum VMware permissions for the hosting connection in Citrix Studio and with Citrix App Layering
    4. Create a VMware related service account with minimum vCenter permissions for Horizon

    Log in to vCenter.

    From the Menu dropdown, select Administration, as shown in Figure 1.

    Figure 1
    Figure 1

    Click Configuration, Active Directory Domain, and click Join AD, as shown in Figure 2.

    Figure 2
    Figure 2

    Enter the Domain, a Username/Password, and click JOIN, as shown in Figure 3.

    Figure 3
    Figure 3

    The vCenter appliance is now a domain member but needs a restart.

    From the Menu dropdown, select VMs and Templates, as shown in Figure 4.

    Figure 4
    Figure 4

    Expand the cluster, right-click the vCenter VM, click Power, and click Restart Guest OS, as shown in Figure 5.

    Figure 5
    Figure 5

    Click Yes to confirm the restart, as shown in Figure 6.

    Figure 6
    Figure 6

    Wait about 10 minutes before trying to log in to vCenter. At this point, you must use the administrator vCenter account to log in. Even though we joined, vCenter to the AD domain, the AD domain isn’t a Single Sign-On domain yet.

    Once you have logged on to vCenter, go back to Administration/Single Sign On/Configuration, as shown in Figure 7.

    Figure 7
    Figure 7

    Click Identity Sources and click ADD IDENTITY SOURCE, as shown in Figure 8.

    Figure 8
    Figure 8

    Select Active Directory (Windows Integrated Authentication) from the Identity source type dropdown, if it is not already populated, enter the Domain name, select Use machine account, and click ADD, as shown in Figure 9.

    Figure 9
    Figure 9

    The AD domain now shows as an Identity Source, as shown in Figure 10.

    Figure 10
    Figure 10

    We are not yet ready to log in to vCenter with AD credentials. First, we must add users and groups from the AD domain to a vCenter security role.

    Click Global Permissions, as shown in Figure 11.

    Figure 11
    Figure 11

    Click + (Plus sign) as shown in Figure 12.

    Figure 12
    Figure 12

    Select the AD domain name from the User dropdown, and as you type characters into the next field, users and groups appear, as shown in Figure 13.

    Figure 13
    Figure 13

    Click the user or group you wish to add, the Role the user or group requires, select Propagate to children, and click OK, as shown in Figure 14.

    Figure 14
    Figure 14

    Now we can log in to vCenter with an AD domain account.

    Log off vCenter and log in with AD domain account that was just granted permission, as shown in Figures 15 and 16.

    Figure 15
    Figure 15
    Figure 16
    Figure 16

    Figure 17 shows a successful login with AD domain credentials.

    Figure 17
    Figure 17

    Next, permissions for service accounts needed for CVAD and Horizon. First up, CVAD.

    For my lab, I need a vCenter account t use with both the CVAD Hosting Connection in Citrix Studio and Citrix App Layering.

    Citrix details the required permissions at  CVAD VMware virtualization environments and Citrix App Layering VMware vSphere.

    To save time, here are the combined permissions with all the duplicates removed.

    Table 1 vCenter Permissions for CVAD and App Layering

    Datastore > Allocate space
    Datastore > Browse datastore
    Datastore > Low level file operations
    Folder > Create folder
    Folder > Delete folder
    Global > Cancel task
    Global > Manage custom attributes
    Global > Set custom attribute
    Host > Configuration
    Network > Assign network
    Resource > Assign virtual machine to resource pool
    vApp > Export
    vApp > Import
    vApp > vApp application configuration
    Virtual machine > Configuration > Add existing disk
    Virtual machine > Configuration > Add new disk
    Virtual machine > Configuration > Add or remove device
    Virtual machine > Configuration > Advanced (or Advanced Configuration)
    Virtual machine > Configuration > Change CPU Count
    Virtual machine > Configuration > Change resource
    Virtual machine > Configuration > Configure managedBy
    Virtual machine > Configuration > Disk change tracking (For App Layering, but I can’t find it in vCenter 6.7 U3)
    Virtual machine > Configuration > Memory (CVAD and App Layering, but I can’t find it in 6.7 U3)
    Virtual machine > Configuration > Modify Device Settings
    Virtual machine > Configuration > Remove disk
    Virtual machine > Configuration > Rename
    Virtual machine > Configuration > Reset guest information
    Virtual machine > Configuration > Set annotation
    Virtual machine > Configuration > Settings
    Virtual machine > Configuration > Swapfile placement (In 6.7 U3, Change Swapfile placement)
    Virtual machine > Configuration > Upgrade virtual machine compatibility
    Virtual machine > Interaction > Answer question
    Virtual machine > Interaction > Configure CD media
    Virtual machine > Interaction > Console interaction
    Virtual machine > Interaction > Device connection (I can’t find this in 6.7 U3)
    Virtual machine > Interaction > Power Off
    Virtual machine > Interaction > Power On
    Virtual machine > Interaction > Reset
    Virtual machine > Interaction > Suspend
    Virtual machine > Inventory > Create from existing
    Virtual machine > Inventory > Create new
    Virtual machine > Inventory > Register
    Virtual machine > Inventory > Remove
    Virtual machine > Provisioning > Clone template
    Virtual machine > Provisioning > Clone virtual machine
    Virtual machine > Provisioning > Customize (In 6.7 U3, Customize guest)
    Virtual machine > Provisioning > Deploy template
    Virtual machine > Provisioning > Mark as template
    Virtual machine > Snapshot management > Create snapshot
    Virtual machine > Snapshot management > Remove snapshot

    First, I created a regular domain user account in AD, as shown in Figures 18 and 19.

    Figure 18
    Figure 18
    Figure 19
    Figure 19

    In the vCenter console, go to Menu -> Administration, as shown in Figure 20.

    Figure 20
    Figure 20

    Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 21.

    Figure 21
    Figure 21

    The hard part is going through all the settings in Table 1 and selecting the required permissions, as shown in Figure 22.

    Figure 22
    Figure 22

    Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 23.

    Figure 23
    Figure 23

    Enter a Role name and an optional Description, click Finish, as shown in Figure 24.

    Figure 24
    Figure 24

    Click Global Permissions and click the + (Plus sign), as shown in Figure 25.

    Figure 25
    Figure 25

    Select your AD domain in the User dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 26.

    Figure 26
    Figure 26

    To test the new service account, launch Citrix Studio, and either create a new Hosting Connection or run through the Site creation wizard (what I am doing), as shown in Figure 27.

    Figure 27
    Figure 27

    Clicking Next tests whether the service account has the required permissions. If the account does not, an error message stating “The user does not have the required permissions on the hypervisor”. If the service was set up correctly in vCenter, the wizard continues to the Storage Management screen, as shown in Figure 28.

    Figure 28
    Figure 28

    Once, creation of the new Hosting Connection or initial Site succeeds, test creating a Machine Catalog to verify the service account works, as shown in Figures 29 and 30.

    Figure 29
    Figure 29
    Figure 30
    Figure 30

    VMware lists their required permissions for Horizon at Privileges Required for the vCenter Server User.

    Figure 31 shows the required permissions for the VMware Horizon service account.

    Figure 31
    Figure 31

    First, I created a regular domain user account in AD, as shown in Figures 32 and 33.

    Figure 32
    Figure 32
    Figure 33
    Figure 33

    Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 34.

    Figure 34
    Figure 34

    The hard part is going through all the settings in Figure 31 and selecting the required permissions, as shown in Figure 35.

    Figure 35
    Figure 35

    Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 36.

    Figure 36
    Figure 36

    Enter a Role name and an optional Description, click Finish, as shown in Figure 37.

    Figure 37
    Figure 37

    Click Global Permissions and click the + (Plus sign), as shown in Figure 38.

    Figure 38
    Figure 38

    Select your AD domain in the User dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 39.

    Figure 39
    Figure 39

    Figure 40 shows the service account logged in to the VMware Horizon 7 Administrator Console.

    Figure 40
    Figure 40

    Up next: Install Citrix XenServer 8.0







    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    One Response to “08 Building Webster’s Lab – Additional vCenter Configuration”

    1. Ram Prasad Says:

      Excellent Information, very useful. Thank you very much carl

      Reply

    Leave a Reply