[Detailed Guide] VMware vSphere Integrated Windows Authentication
You may have noticed that support for IWA continues to be available in vSphere 7.0 and will be phased out in future releases. Don’t worry, let's take a look at how to configure IWA for vSphere.
What is Integrated Windows Authentication?
Integrated Windows Authentication (IWA) is a method of authentication that is used in Microsoft Windows operating systems. It allows you to authenticate to network resources, such as web applications or file shares, using your Windows credentials without the need to enter your username and password explicitly. When you access a resource that requires authentication, IWA uses your logged-in Windows session to automatically authenticate them.
In addition, It also offers benefits like a seamless login experience, centralized user management, improved security, enhanced compliance, increased productivity, etc.
It's worth noting that IWA is primarily designed for Windows-based environments and works best when both the client and server are part of the same Windows domain. However, with the right configuration and support, it is possible to use IWA across different platforms and with non-Windows clients.
How to set up vSphere 7 Integrated Windows Authentication
Prerequisites:
✔ Install the Windows Authentication server feature on the application server in order to enable IWA.
✔ Set the type of security to use for your license server site to use IWA in vSphere 7.
Next, I will demonstrate how to enable vSphere 7 Integrated Windows Authentication.
Step 1. Select a site in the tree view, and click Tools >> Enable Integrated Windows Authentication.
Step 2. Set the application pool identity to a domain user or a local user.
Note: This user will be added to the SPFUsers group so that it will have permission to run the SDx Server application pools.
Of course, in addition to the above method, you can also choose to set up Integrated Windows Authentication manually. You need to perform the following actions on your SDx Server virtual directory in IIS:
Step 1. Manually set the application pool identity to a domain user or local user in the SPFUsers group.
Step 2. Set the following setting to IWA Enabled (all others disabled):
- Anonymous Authentication setting
- ServerRequest.asmx setting
- Ping.html setting, Ping.html setting
- SPFBaseService.asmx setting
- SPFGeneralService.asmx setting
- SPFService.asmx setting
Step 3. Set NTLM as the top provider in Windows Authentication.
Note: If you are using the Intergraph Authorization Server (which was discontinued as of Update 23), you must also edit the Authentication web.config file and set the Enable Cookie Authentication setting to False. This does not need to be performed if you are using any other authorization server.
How to migrate from vSphere 7 Integrated Windows Authentication
Once the account has been created and it has been verified that LDAPS is functioning, we may begin configuring AD via LDAP in vCenter. We must first remove this since we will be adding the LDAPS source using the same domain name as the IWA source, which will result in an error.
Step 1. Log in to vCenter Web Client >> Menu >> Administration >> Single Sign-On >> Configuration. In Identity Sources, select IWA and click Remove. Then a confirmation message will appear, please click OK.
Step 2. Click ADD in the Identity source page and select Active Directory over LDAP.
Step 3. Enter the required details of Identity Source.
Step 4. If you have a certificate issue from an internal certificate authority, you will be selecting the CA cert for LDAPS as this should trust any cert issued by the CA on your domain controllers.
Step 5. Click ADD to complete the AD over LDAP identity source.
Exploring vSphere’s backup solutions with ease
As organizations increasingly rely on virtualization technologies like vSphere with Integrated Windows Authentication to streamline their IT infrastructure, it becomes crucial to consider data backup strategies to ensure the protection and availability of critical information.
While vSphere offers robust management capabilities, including high availability and fault tolerance, data backup serves as an essential layer of defense against potential data loss or system failures. By implementing a reliable data backup solution, organizations can safeguard their virtualized environments, enabling quick recovery and minimizing downtime in the event of unexpected disruptions.
vSphere backup software – AOMEI Cyber Backup, safeguards your virtual environment, which enables you to backup multiple VMs either managed by vCenter Server, or on a standalone ESXi host. In addition, it offers you the following benefits:
✦ Agentless Backup: Create complete and independent image-level backup for VMware ESXi and Hyper-V VMs.
✦ Flexible vSphere Backup: Batch backup large numbers of VMs managed by vCenter Server, or multiple VMs on a standalone ESXi host.
✦ Multiple Storage Destinations: Backup to local drive, or network destinations like Windows Share or NAS.
✦ Automated Execution: Create backup schedules to automate backups daily, weekly, and monthly.
✦ Role Assignment: Allows one administrator to create sub-accounts with limited privileges.
AOMEI Cyber Backup supports VMware ESXi 6.0 and later versions. Next, I will show you how to perform vSphere VM backup and restore via AOMEI Cyber Backup. You can click the following button to download the 30-day free trial.
*You can choose to install this VM backup software on either Windows or Linux system.
Steps to perform vSphere backup and restore with AOMEI Cyber Backup
Step 1. Bind Devices: Access to AOMEI Cyber Backup web client, navigate to Source Device >> VMware >> + Add VMware Device ;to Add vCenter or Standalone ESXi host. And then click … >> Confirm.
Step 2. Create Backup Task: Navigate to Backup Task >> + Create New Task, and select VMware ESXi Backup as the Backup Type. Set the Task Name, Device, Target, Schedule and Cleanup as needed.
- Task Name: Change the task name or use the default name with an ordinal.
- Device: Batch backup multiple VMs on vCenter or standalone host within one backup task.
- Target: Select to back up to a local path, or to a network path like NAS.
- Schedule (optional): Perform full, differential, or incremental backup, and automate execution according to the frequency you specified.
- Cleanup (optional): Automatically delete the old backup copies that exceed the retention period you specified.
Step 3. Run Backup: Now you can click Start Backup and select Add the schedule and start backup now, or Add the schedule only.
Step 4. Start Restore: Choose to Restore to original location or Restore to new location to create a new VM in the same or another datastore/host directly from the backup, saving the trouble of re-configuring the new VM.
Conclusion
The changes to vSphere 7 Integrated Windows Authentication can simplify the authentication experience and enhance integration with Active Directory, improve security protocols.
It is vital to emphasize the importance of backing up vSphere VMs and provide valuable best practices for Integrated Windows Authentication (IWA) in vSphere 7.