• 17 Building Webster’s Lab V2 – Additional vCenter Configuration

    [Updated 29-Aug-2021]

    Before getting to work adding Citrix Virtual Apps and Desktops (CVAD), and VMware Horizon to the lab, there are a few additional items on the vCenter to-do list.

    1. Join vCenter to the lab’s Active Directory (AD) domain
    2. Add the lab’s AD to the SSO
    3. Create a Citrix related service account with minimum vCenter permissions for the hosting connection in Citrix Studio and with Citrix App Layering
    4. Create a VMware related service account with minimum vCenter permissions for VMware Horizon
    5. Create a Read-only account for use with monitoring software, like ControlUp and Goliath Technologies

    Log in to vCenter.

    Active Directory

    From the Menu dropdown, select Administration, as shown in Figure 1.

    Figure 1
    Figure 1

    Click Configuration, Active Directory Domain, and click Join AD, as shown in Figure 2.

    Figure 2
    Figure 2

    Enter the Domain, a Username, a Password, and click JOIN, as shown in Figure 3.

    If you want the vCenter computer account in a specific Organizational Unit (OU), as I do, enter the Organization Unit.

    Figure 3
    Figure 3

    The vCenter appliance is now a domain member but needs a restart.

    From the Menu dropdown, select VMs and Templates, as shown in Figure 4.

    Figure 4
    Figure 4

    Expand the cluster, right-click the vCenter VM, click Power, and click Restart Guest OS, as shown in Figure 5.

    Figure 5
    Figure 5

    Click Yes to confirm the restart, as shown in Figure 6.

    Figure 6
    Figure 6

    Wait about 10 minutes before trying to log in to vCenter.

    If you specified an OU to place the vCenter computer account while waiting for the vCenter appliance to restart, go to one of the domain controllers and open the Active Directory Users and Computers console. Browse to the OU specified and verify the vCenter computer account exists, as shown in Figure 7.

    Figure 7
    Figure 7

    At this point, you must use the administrator vCenter account to log in. Even though we joined vCenter to the AD domain, the AD domain isn’t a Single Sign-On domain yet.

    Once logged on to vCenter, go back to Administration/Single Sign On/Configuration, as shown in Figure 8.

    Figure 8
    Figure 8

    Click Identity Sources and click ADD IDENTITY SOURCE, as shown in Figure 9.

    Figure 9
    Figure 9

    Select Active Directory (Windows Integrated Authentication) from the Identity source type dropdown. If it is not already populated, enter the Domain name, select Use machine account, and click ADD, as shown in Figure 10.

    Figure 10
    Figure 10

    The AD domain now shows as an Identity Source, as shown in Figure 11.

    Figure 11
    Figure 11

    We are not yet ready to log in to vCenter with AD credentials. First, we must add users and groups from the AD domain to a vCenter security role.

    Click Global Permissions, as shown in Figure 12.

    Figure 12
    Figure 12

    Click + (Plus sign) as shown in Figure 13.

    Figure 13
    Figure 13

    Select the AD domain name from the Domain dropdown, type Domain Admins in the User/Group field, for Role, select Administrator, select Propagate to children, and click OK, as shown in Figure 14.

    Figure 14
    Figure 14

    Now we can log in to vCenter with an AD domain account.

    Log off vCenter and log in with an AD domain account granted permission, as shown in Figures 15 and 16.

    Figure 15
    Figure 15
    Figure 16
    Figure 16

    Figure 17 shows a successful login with AD domain credentials.

    Figure 17
    Figure 17

    Next, we need permissions for service accounts for Citrix Virtual Apps and Desktops (CVAD) and VMware Horizon. First up, CVAD.

    Citrix Virtual Apps and Desktops and App Layering vCenter Permissions

    I need a vCenter account for my lab to use with both the CVAD Hosting Connection in Citrix Studio and Citrix App Layering.

    Citrix details the required permissions at  CVAD VMware virtualization environments and Citrix App Layering VMware vSphere.

    To save time, here are the combined permissions with all the duplicates removed. I put an “(AL)” by the permissions that apply only to Citrix App Layering. If you do not use App Layering, you can safely ignore those permissions. I took these permissions from the CVAD 2103 and App Layering 2104 documentation. I also fixed the names of the permissions that Citrix has wrong in their documentation.

    Table 1 vCenter Permissions for CVAD and App Layering

    Datastore > Allocate space
    Datastore > Browse datastore
    Datastore > Low level file operations
    Folder > Create folder (AL)
    Global > Cancel task (AL)
    Global > Manage custom attributes
    Global > Set custom attribute
    Network > Assign network
    Resource > Assign virtual machine to resource pool
    vApp > Export (AL)
    vApp > Import (AL)
    Virtual machine > Configuration > Add existing disk
    Virtual machine > Configuration > Add new disk
    Virtual machine > Configuration > Add or remove device
    Virtual machine > Configuration > Advanced Configuration
    Virtual machine > Configuration > Change CPU Count
    Virtual machine > Configuration > Change Memory
    Virtual machine > Configuration > Change resource (AL)
    Virtual machine > Configuration > Change Settings
    Virtual machine > Configuration > Modify Device Settings (AL)
    Virtual machine > Configuration > Remove disk
    Virtual machine > Configuration > Rename (AL)
    Virtual machine > Configuration > Set annotation (AL)
    Virtual machine > Configuration > Upgrade virtual machine compatibility (AL)
    Virtual machine > Edit Inventory > Create from existing
    Virtual machine > Edit Inventory > Create new
    Virtual machine > Edit Inventory > Remove
    Virtual machine > Interaction > Configure CD media (AL)
    Virtual machine > Interaction > Connect devices (AL)
    Virtual machine > Interaction > Console interaction (AL)
    Virtual machine > Interaction > Install VMware Tools (AL)
    Virtual machine > Interaction > Power Off
    Virtual machine > Interaction > Power On
    Virtual machine > Interaction > Reset
    Virtual machine > Interaction > Suspend
    Virtual machine > Provisioning > Clone template
    Virtual machine > Provisioning > Clone virtual machine
    Virtual machine > Provisioning > Deploy template
    Virtual machine > Snapshot management > Create snapshot

    We created the svc_CtxVMware account previously.

    In the vCenter console, go to Menu -> Administration, as shown in Figure 18.

    Figure 18
    Figure 18

    Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 19.

    Figure 19
    Figure 19

    The hard part is going through all the settings in Table 1 and selecting the required permissions, as shown in Figure 20.

    Hey VMware, it would be nice if this dialog box were resizable.

    Figure 20
    Figure 20

    Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 21.

    Figure 21
    Figure 21

    Enter a Role name and an optional Description, click Finish, as shown in Figure 22.

    Figure 22
    Figure 22

    Click Global Permissions and click the + (Plus sign), as shown in Figure 23.

    Figure 23
    Figure 23

    Select your AD domain in the Domain dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 24.

    Figure 24
    Figure 24

    If you are following this article series, there is no CVAD infrastructure to test the account.

    VMware Horizon vCenter Permissions

    VMware lists their required permissions for Horizon 8 2106 at Privileges Required for the vCenter Server User.

    Figures 25 and 26 show the required permissions for the VMware Horizon 8 2106 service account.

    Hey VMware, it would be better to list the Privilege Group on vCenter Server and Privileges to Enable in the same order they appear in the vCenter New Role wizard.

    Figure 25
    Figure 25
    Figure 26
    Figure 26

    Table 2 vCenter Permissions for Horizon – Ordered List

    Datastore/Allocate space
    Datastore/Browse datastore
    Folder/Create folder
    Folder/Delete folder
    Global/Act as vCenter Server
    Global/Disable methods
    Global/Enable methods
    Global/Manage custom attributes
    Global/Set custom attribute
    Host/Configuration/Advanced settings
    Host/Inventory/Modify cluster
    Network/Assign network
    Resource/Assign virtual machine to resource pool
    Resource/Migrate powered off virtual machine
    Resource/Migrate powered on virtual machine
    Virtual machine/Change Configuration/Add or remove device
    Virtual machine/Change Configuration/Advanced configuration
    Virtual machine/Change Configuration/Change CPU count
    Virtual machine/Change Configuration/Change Memory
    Virtual machine/Change Configuration/Change resource
    Virtual machine/Change Configuration/Change Settings
    Virtual machine/Change Configuration/Configure Host USB device
    Virtual machine/Change Configuration/Configure managedBy
    Virtual machine/Change Configuration/Configure Raw device
    Virtual machine/Change Configuration/Display connection settings
    Virtual machine/Change Configuration/Extend virtual disk
    Virtual machine/Change Configuration/Modify device settings
    Virtual machine/Change Configuration/Query Fault Tolerance compatibility
    Virtual machine/Change Configuration/Query unowned files
    Virtual machine/Change Configuration/Reload from path
    Virtual machine/Change Configuration/Remove disk
    Virtual machine/Change Configuration/Rename
    Virtual machine/Change Configuration/Reset guest information
    Virtual machine/Change Configuration/Set annotation
    Virtual machine/Change Configuration/Toggle disk change tracking
    Virtual machine/Change Configuration/Toggle fork parent
    Virtual machine/Change Configuration/Upgrade virtual machine compatibility
    Virtual machine/Edit Inventory/Move
    Virtual machine/Edit Inventory/Register
    Virtual machine/Edit Inventory/Unregister
    Virtual machine/Interaction/Connect devices
    Virtual machine/Interaction/Perform wipe or shrink operations
    Virtual machine/Interaction/Power off
    Virtual machine/Interaction/Power on
    Virtual machine/Interaction/Reset
    Virtual machine/Interaction/Suspend
    Virtual machine/Provisioning/Allow disk access
    Virtual machine/Provisioning/Clone template
    Virtual machine/Provisioning/Clone virtual machine
    Virtual machine/Provisioning/Customize guest
    Virtual machine/Provisioning/Deploy template
    Virtual machine/Provisioning/Read customization specifications
    Virtual machine/Snapshot management/Create snapshot
    Virtual machine/Snapshot management/Remove snapshot
    Virtual machine/Snapshot management/Rename snapshot
    Virtual machine/Snapshot management/Revert to snapshot

    We created the svc_VMwareHorizon AD account previously.

    Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 27.

    Figure 27
    Figure 27

    The hard part is going through all the settings and selecting the required permissions, as shown in Figure 28.

    Figure 28
    Figure 28

    Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 29.

    Figure 29
    Figure 29

    Enter a Role name and an optional Description, click Finish, as shown in Figure 30.

    Figure 30
    Figure 30

    Click Global Permissions and click the + (Plus sign), as shown in Figure 31.

    Figure 31
    Figure 31

    Select your AD domain in the Domain dropdown, enter the service account name, select the just created Role, select Propagate to children, and click OK, as shown in Figure 32.

    Figure 32
    Figure 32

    If you are following this article series, there is no Horizon infrastructure to test the account.

    Leave the vCenter console open to Global Permissions.

    Create a Read-only Account

    In my lab, I use monitoring software from vendors like ControlUp and Goliath Technologies. To provide for Least Privilege Access, use a Read-only account.

    First, we need to create an AD service account to assign the vCenter Read-only Role.

    On the first DC, open an elevated PowerShell session.

    Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 33.

    Remember to set the values you need.

    Note: Lines may wrap

    #Create the service account svc_VMwareReadOnly for Read-only vCenter permissions
    
    $ADDomain = "LabADDomain"
    $TLD = "com"
    $Protect = $False
    
    $UserPwd = Read-Host -AsSecureString -Prompt "Enter password"
    
    New-ADUser -AccountPassword $UserPwd `
    -CannotChangePassword $True `
    -ChangePasswordAtLogon $False `
    -Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
    -DisplayName "svc_VMwareReadOnly" `
    -Enabled $True `
    -GivenName "svc_VMwareReadOnly" `
    -Name "svc_VMwareReadOnly" `
    -PasswordNeverExpires $True `
    -PasswordNotRequired $False `
    -Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
    -SamAccountName "svc_VMwareReadOnly" `
    -UserPrincipalName "svc_VMwareReadOnly@LabADDomain.com"
    
    Figure 33
    Figure 33

    In Global Permissions, click the “+“, as shown in Figure 34.

    Figure 34
    Figure 34

    Change the Domain to the AD domain, select the new Read-only account for User/Group, select the Read-only Role, select Propagate to children, and click OK, as shown in Figure 35.

    Figure 35
    Figure 35

    The new Read-only account is added to the list, as shown in Figure 36.

    Figure 36
    Figure 36

    Next up: Additional XenCenter Configuration

    Landing page for the article series







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply