Configure Active Directory authentication for Nutanix Prism

Posted by on January 26, 2015 in Storage | 4 comments

The more I work with Nutanix the more I learn and like about the product. There have been a few things that have been on my to do list lately and a few ideas spawned from customers. So I will be writing up some articles about these topics and enable AD authentication is the first one.

In this post I will walkthrough the steps needed to enable AD as a source for authentication. You will still be able to use local accounts if you wish.

Configure AD source

The first step here is to create a link to the AD domain that we wish to use for authentication. Use the settings icon in the upper right of the Prism interface for Nutanix. Find and click on the Authentication choice as shown below.

nutanix-ad01

 

This will open a new window that will allow you to configure a new directory source. As shown in the image below click the button to configure the details for your AD domain.

nutanix-ad02

 

On the first line you will input a friendly name for the domain, this did not seem to allow spaces. The second line is the actual domain name. The third line is the URL for the directory and needs to be in the format shown below. I used an IP address to keep things simple in the lab. The fourth line will allow you to choose the type of directory, currently it only support AD.

nutanix-ad03

 

Once you have input the AD details and saved them you will be taken back to the following screen with a sample shown below. It should now list summary information about the AD domains configured for Prism. In my tests I configured two different domains.

nutanix-ad04

 

Role Mapping

The idea of role mapping is to select an individual AD entry or group and assign them a level of access in Prism. You get this started from the settings menu again, by selecting Role Mapping shown below.

nutanix-ad20

 

A new pop-up window will open shown below. Click on the new mapping choice to get started.

nutanix-ad21

 

From here the first line you will choose which AD domain you will be using for this role mapping. The second choice you must choose what you will be mapping to, the options are AD Group, AD OU or a user. The third choice is what role in Prism will you be assigning the mapping. In the values field you will need to input the name of the AD item you will be mapping to. I choose group so I need to input the AD group name.

Note: It will accept inputs that are not correct, meaning it does not seem to validate them. I input the group name in all lowercase, this did not work but was accepted. I came back later and changed to reflect capital letters as shown in AD and it worked right away.

nutanix-ad22

 

After entering and saving your new mapping the screen below shows the new entry. You can add more mappings, edit or delete an existing mapping from here also.

nutanix-ad23

 

The image below just shows the proper group name after I came back and updated.

nutanix-ad24

 

Next it was time to try and authenticate to Prism. So I attempted to login using the different methods of entering a user name. It does work with the username@domain.name string, but did not like the domain_name\user.name option.

nutanix-ad25

 

And once logged in, the upper right corner of Prism shows the authenticated user. It was now showing my username.

nutanix-ad26

 

Overall the process was pretty simple for setting this up. I had it working in about 15 minutes.

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

4 Comments

  1. Good stuff Brian. I have enabled AD auth on a recent deployment and have found that the more AD groups a user is a member off, the longer authentication takes when logging on. I have seen logon times take up a minute. I have reported my testing methodology and findings to Nutanix as a bug.

  2. Additional note: in NOS 4.1.1, when you type @ in the login box, it will prompt with a list of configured domain names, making it real easy to log in with a long FQDN.

  3. Brian – As always, your feedback is greatly appreciated and will be taken into consideration in future SW releases.

    Jarian – Stemming from my previous comment, Nutanix took your feedback and fixed this issue in 4.1.1.3 and 4.1.2

  4. btw the name can not have a space

Leave a Comment

Your email address will not be published. Required fields are marked *