The more I work with Nutanix the more I learn and like about the product. There have been a few things that have been on my to do list lately and a few ideas spawned from customers. So I will be writing up some articles about these topics and enable AD authentication is the first one.
In this post I will walkthrough the steps needed to enable AD as a source for authentication. You will still be able to use local accounts if you wish.
Configure AD source
The first step here is to create a link to the AD domain that we wish to use for authentication. Use the settings icon in the upper right of the Prism interface for Nutanix. Find and click on the Authentication choice as shown below.
This will open a new window that will allow you to configure a new directory source. As shown in the image below click the button to configure the details for your AD domain.
On the first line you will input a friendly name for the domain, this did not seem to allow spaces. The second line is the actual domain name. The third line is the URL for the directory and needs to be in the format shown below. I used an IP address to keep things simple in the lab. The fourth line will allow you to choose the type of directory, currently it only support AD.
Once you have input the AD details and saved them you will be taken back to the following screen with a sample shown below. It should now list summary information about the AD domains configured for Prism. In my tests I configured two different domains.
The idea of role mapping is to select an individual AD entry or group and assign them a level of access in Prism. You get this started from the settings menu again, by selecting Role Mapping shown below.
A new pop-up window will open shown below. Click on the new mapping choice to get started.
From here the first line you will choose which AD domain you will be using for this role mapping. The second choice you must choose what you will be mapping to, the options are AD Group, AD OU or a user. The third choice is what role in Prism will you be assigning the mapping. In the values field you will need to input the name of the AD item you will be mapping to. I choose group so I need to input the AD group name.
Note: It will accept inputs that are not correct, meaning it does not seem to validate them. I input the group name in all lowercase, this did not work but was accepted. I came back later and changed to reflect capital letters as shown in AD and it worked right away.
After entering and saving your new mapping the screen below shows the new entry. You can add more mappings, edit or delete an existing mapping from here also.
The image below just shows the proper group name after I came back and updated.
Next it was time to try and authenticate to Prism. So I attempted to login using the different methods of entering a user name. It does work with the email@example.com string, but did not like the domain_name\user.name option.
And once logged in, the upper right corner of Prism shows the authenticated user. It was now showing my username.
Overall the process was pretty simple for setting this up. I had it working in about 15 minutes.